CompTIA Security+ SY0-301 Practice Questions Third Edition Diane Barrett
800 East 96th Street, Indianapolis, Indiana 46240 USA
CompTIA Security+ SY0-301 Practice Questions Exam Cram, Third Edition
Publisher Paul Boger
Copyright © 2012 by Pearson Education, Inc.
Associate Publisher David Dusthimer
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-4828-7 ISBN-10: 0-7897-4828-2 Printed in the United States of America First Printing: December 2011 10 09 08 07 06 4 3 2 1
Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it.
Bulk Sales Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419
[email protected] For sales outside the U.S., please contact International Sales
[email protected]
Acquisitions Editor Betsy Brown Senior Development Editor Christopher Cleveland Managing Editor Sandra Schroeder Technical Editor Chris Crayton Project Editor Mandie Frank Copy Editor Barbara Hacha Proofreader Leslie Joseph Publishing Coordinator Vanessa Evans Multimedia Developer Tim Warner Cover Designer Gary Adair Page Layout Studio Galou, LLC
Contents at a Glance Introduction
5
CHAPTER 1
Domain 1.0: Network Security
9
CHAPTER 2
Domain 2.0: Compliance and Operational Security
CHAPTER 3
Domain 3.0: Threats and Vulnerabilities
135
CHAPTER 4
Domain 4.0: Application, Data, and Host Security
223
CHAPTER 5
Domain 5.0: Access Control and Identity Management
269
CHAPTER 6
Domain 6.0: Cryptography
317
75
iv
Table of Contents CompTIA Security+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 It Pays to Get Certified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 How Certification Helps Your Career . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 CompTIA Career Pathway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Join the Professional Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Content Seal of Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Why CompTIA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 How to Obtain More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Who This Book Is For. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 What You Will Find in This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Hints for Using This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Need Further Study? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Chapter One Domain 1.0: Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Practice Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Objective 1.1: Explain the security function and purpose of network devices and technologies. . . . . . . . . . . . . . . . . . . . . . . . . . 10 Objective 1.2: Apply and implement secure network administration principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Objective 1.3: Distinguish and differentiate network design elements and compounds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Objective 1.4: Implement and use common protocols. . . . . . . . . . 32 Objective 1.5: Identify commonly used ports. . . . . . . . . . . . . . . . . 36 Objective 1.6: Implement wireless network in a secure manner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Quick-Check Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Objective 1.1: Explain the security function and purpose of network devices and technologies. . . . . . . . . . . . . . . . . . . . . . . . . . 44 Objective 1.2: Apply and implement secure network administration principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Objective 1.3: Distinguish and differentiate network design elements and compounds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
v
Objective 1.4: Implement and use common protocols. . . . . . . . . . 45 Objective 1.5: Identify commonly used ports. . . . . . . . . . . . . . . . . 46 Objective 1.6: Implement wireless network in a secure manner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Answers and Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Objective 1.1: Explain the security function and purpose of network devices and technologies. . . . . . . . . . . . . . . . . . . . . . . . . . 47 Objective 1.2: Apply and implement secure network administration principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Objective 1.3: Distinguish and differentiate network design elements and compounds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Objective 1.4: Implement and use common protocols. . . . . . . . . . 65 Objective 1.5: Identify commonly used ports. . . . . . . . . . . . . . . . . 70 Objective 1.6: Implement wireless network in a secure manner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Chapter Two Domain 2.0: Compliance and Operational Security . . . . . . . . . . . . . . . . . . . . . . . 75 Practice Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Objective 2.1: Explain risk related concepts.. . . . . . . . . . . . . . . . . . 76 Objective 2.2: Carry out appropriate risk mitigation strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Objective 2.3: Execute appropriate incident response procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Objective 2.4: Explain the importance of security related awareness and training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Objective 2.5: Compare and contrast aspects of business continuity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Objective 2.6: Explain the impact and proper use of environmental controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Objective 2.7: Execute disaster recovery plans and procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Objective 2.8: Exemplify the concepts of confidentiality, integrity, and availability.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Quick-Check Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Objective 2.1: Explain risk related concepts. . . . . . . . . . . . . . . . . 108 Objective 2.2: Carry out appropriate risk mitigation strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Objective 2.3: Execute appropriate incident response procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
vi
CompTIA Security+ SY0-301 Practice Questions Exam Cram
Objective 2.4: Explain the importance of security related awareness and training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Objective 2.5: Compare and contrast aspects of business continuity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Objective 2.6: Explain the impact and proper use of environmental controls.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Objective 2.7: Execute disaster recovery plans and procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Objective 2.8: Exemplify the concepts of confidentiality, integrity, and availability.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Answers and Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Objective 2.1: Explain risk related concepts. . . . . . . . . . . . . . . . . 111 Objective 2.2: Carry out appropriate risk mitigation strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Objective 2.3: Execute appropriate incident response procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Objective 2.4: Explain the importance of security related awareness and training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Objective 2.5: Compare and contrast aspects of business continuity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Objective 2.6: Explain the impact and proper use of environmental controls.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Objective 2.7: Execute disaster recovery plans and procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Objective 2.8: Exemplify the concepts of confidentiality, integrity, and availability.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Chapter Three Domain 3.0: Threats and Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Practice Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Objective 3.1: Analyze and differentiate among types of malware.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Objective 3.2: Analyze and differentiate among types of attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Objective 3.3: Analyze and differentiate among types of social engineering attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Objective 3.4: Analyze and differentiate among types of wireless attacks.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Objective 3.5: Analyze and differentiate among types of application attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Contents
vii
Objective 3.6: Analyze and differentiate among types of mitigation and deterrent techniques. . . . . . . . . . . . . . . . . . . . . . . 165 Objective 3.7: Implement assessment tools and techniques to discover security threats and vulnerabilities. . . . . . . . . . . . . . 174 Objective 3.8: Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Quick-Check Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Objective 3.1: Analyze and differentiate among types of malware.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Objective 3.2: Analyze and differentiate among types of attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Objective 3.3: Analyze and differentiate among types of social engineering attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Objective 3.4: Analyze and differentiate among types of wireless attacks.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Objective 3.5: Analyze and differentiate among types of application attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Objective 3.6: Analyze and differentiate among types of mitigation and deterrent techniques. . . . . . . . . . . . . . . . . . . . . . . 182 Objective 3.7: Implement assessment tools and techniques to discover security threats and vulnerabilities. . . . . . . . . . . . . . 182 Objective 3.8: Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning.. . . . . . . . . . . . . . . . . . . . . . 183 Answers and Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Objective 3.1: Analyze and differentiate among types of malware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Objective 3.2: Analyze and differentiate among types of attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Objective 3.3: Analyze and differentiate among types of social engineering attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Objective 3.4: Analyze and differentiate among types of wireless attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Objective 3.5: Analyze and differentiate among types of application attacks.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Objective 3.6: Analyze and differentiate among types of mitigation and deterrent techniques. . . . . . . . . . . . . . . . . . . . 210 Objective 3.7: Implement assessment tools and techniques to discover security threats and vulnerabilities. . . . . . . . . . . . . . 216
viii
CompTIA Security+ SY0-301 Practice Questions Exam Cram
Objective 3.8: Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning.. . . . . . . . . . . . . . . . . . . . . . 219 Chapter Four Domain 4.0: Application, Data, and Host Security . . . . . . . . . . . . . . . . . . . . . . . 223 Practice Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Objective 4.1: Explain the importance of application security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Objective 4.2: Carry out appropriate procedures to establish host security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Objective 4.3: Explain the importance of data security. . . . . . . . 239 Quick-Check Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Objective 4.1: Explain the importance of application security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Objective 4.2: Carry out appropriate procedures to establish host security.. . . . . . . . . . . . . . . . . . . . . . 248 Objective 4.3: Explain the importance of data security. . . . . . . . 249 Answers and Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Objective 4.1: Explain the importance of application security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Objective 4.2: Carry out appropriate procedures to establish host security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Objective 4.3: Explain the importance of data security. . . . . . . . 262 Chapter Five Domain 5.0: Access Control and Identity Management . . . . . . . . . . . . . . . . . . . 269 Practice Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Objective 5.1: Explain the function and purpose of authentication services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Objective 5.2: Explain the fundamental concepts and best practices related to authorization and access control. . . . . 275 Objective 5.3: Implement appropriate security controls when performing account management. . . . . . . . . . . . . . . . . . . . 285 Quick-Check Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Objective 5.1: Explain the function and purpose of authentication services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Objective 5.2: Explain the fundamental concepts and best practices related to authorization and access control. . . . . 293
Contents
ix
Objective 5.3: Implement appropriate security controls when performing account management. . . . . . . . . . . . . . . . . . . . . . . . . 294 Answers and Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Objective 5.1: Explain the function and purpose of authentication services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Objective 5.2: Explain the fundamental concepts and best practices related to authorization and access control. . . . . 299 Objective 5.3: Implement appropriate security controls when performing account management. . . . . . . . . . . . . . . . . . . . 309 Chapter Six Domain 6.0: Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Practice Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Objective 6.1: Summarize general cryptography concepts. . . . . 318 Objective 6.2: Use and apply appropriate cryptographic tools and products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Objective 6.3: Explain core concepts of public key infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Objective 6.4: Implement PKI, certificate management, and associated components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Quick-Check Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Objective 6.1: Summarize general cryptography concepts. . . . . 338 Objective 6.2: Use and apply appropriate cryptographic tools and products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Objective 6.3: Explain core concepts of public key infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Objective 6.4: Implement PKI, certificate management, and associated components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Answers and Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Objective 6.1: Summarize general cryptography concepts. . . . . 340 Objective 6.2: Use and apply appropriate cryptographic tools and products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Objective 6.3: Explain core concepts of public key infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Objective 6.4: Implement PKI, certificate management, and associated components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
x
About the Author Diane Barrett is the director of training for Paraben Corporation and an adjunct professor for American Military University. She has done contract forensic and security assessment work for several years and has authored other security and forensic books. She is a regular committee member for ADFSL’s Conference on Digital Forensics, Security and Law, as well as an academy director for Edvancement Solutions. She holds many industry certifications, including CISSP, ISSMP, DFCP, PCME, along with many CompTIA certifications, including the Security+ (2011 objectives). Diane’s education includes a MS in Information Technology with a specialization in Information Security. She expects to complete a PhD in business administration with a specialization in Information Security shortly.
xi
Dedication To my niece Elizabeth, who never ceases to amaze me.
Acknowledgments Publishing a book takes the collaboration and teamwork of many individuals. Thanks to everyone involved in this process at Pearson Education, especially Betsy and Drew. To the editorial and technical reviewers, especially Chris Crayton, thank you for making sure that my work was sound and on target. Special thanks to my husband for all his support and patience while I worked on this project.
xii
We Want to Hear from You! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’re willing to pass our way. As an Associate Publisher for Pearson, I welcome your comments. You can email or write me directly to let me know what you did or didn’t like about this book— as well as what we can do to make our books better. Please note that I cannot help you with technical problems related to the topic of this book. We do have a User Services group, however, where I will forward specific technical questions related to the book. When you write, please be sure to include this book’s title and author as well as your name, email address, and phone number. I will carefully review your comments and share them with the author and editors who worked on the book. Email:
[email protected]
Mail:
David Dusthimer Associate Publisher Pearson 800 East 96th Street Indianapolis, IN 46240 USA
Reader Services Visit our website and register this book at www.examcram.com/register for convenient access to any updates, downloads, or errata that might be available for this book.
CompTIA Security+ . Designed for IT professionals focused on system security. . Covers network infrastructure, cryptography, assessments, and audits. . Security+ is mandated by the U.S. Department of Defense and is recom-
mended by top companies such as Microsoft, HP, and Cisco.
It Pays to Get Certified In a digital world, digital literacy is an essential survival skill—Certification proves you have the knowledge and skill to solve business problems in virtually any business environment. Certifications are highly valued credentials that qualify you for jobs, increased compensation and promotion. Security is one of the highest demand job categories—growing in importance as the frequency and severity of security threats continues to be a major concern for organizations around the world.
. Jobs for security administrators are expected to increase by 18%—
the skill set required for these types of jobs map to CompTIA Security+ certification. . Network Security Administrators—can earn as much as $106,000 per
year. . CompTIA Security+ is the first step—in starting your career as a
Network Security Administrator or Systems Security Administrator. . CompTIA Security+ is regularly used in organizations—such as
Hitachi Information Systems, Trendmicro, the McAfee Elite Partner program, the U.S. State Department, and U.S. government contractors such as EDS, General Dynamics, and Northrop Grumman.
2
CompTIA Security+ SY0-301 Practice Questions Exam Cram
How Certification Helps Your Career IT Is Everywhere
IT Knowledge and Skills Gets Jobs
Retain Your Job and Salary
Want to Change Jobs
Stick Out from the Resume Pile
IT is ubiquitous, needed by most organizations. Globally, there are over 600,000 IT job openings.
Certifications are essential credentials that qualify you for jobs, increased compensation, and promotion.
Make your expertise stand above the rest. Competence is usually retained during times of change.
Certifications qualify you for new opportunities, whether locked into a current job, see limited advancement, or need to change careers.
Hiring managers can demand the strongest skill set.
CompTIA Career Pathway CompTIA offers a number of credentials that form a foundation for your career in technology and allow you to pursue specific areas of concentration. Depending on the path you choose to take, CompTIA certifications help you build upon your skills and knowledge, supporting learning throughout your entire career.
Introduction
Steps to Getting Certified and Staying Certified Review Exam Objectives
Review the certification objectives to make sure you know what is covered in the exam. http://certification.comptia.org/Training/testingcenters/ examobjectives.aspx
Practice for the Exam
After you have studied for the certification, take a free assessment and sample test to get an idea of what type of questions might be on the exam. http://certification.comptia.org/Training/testingcenters/ samplequestions.aspx
Purchase an Exam Voucher
Purchase your exam voucher on the CompTIA Marketplace, which is located at: http://www.comptiastore.com/
Take the Test!
Select a certification exam provider and schedule a time to take your exam. You can find exam providers at the following link: http://certification.comptia.org/Training/testingcenters.aspx
Stay Certified!
Effective January 1, 2011, new CompTIA Security+ certifications are valid for three years from the date of your certification. There are a number of ways the certification can be renewed. For more informa tion go to: http://certification.comptia.org/getCertified/ steps_to_certification/stayCertified.aspx
Continuing education
Join the Professional Community Join IT Pro Community http://itpro.comptia.org
The free IT Pro online community provides valuable content to students and professionals. Career IT Job Resources • Where to start in IT • Career Assessments • Salary Trends • US Job Board Forums on Networking, Security, Computing and Cutting Edge Technologies Access to blogs written by Industry Experts Current information on Cutting Edge Technologies Access to various industry resource links and articles related to IT and IT careers
3
4
CompTIA Security+ SY0-301 Practice Questions Exam Cram
Content Seal of Quality This courseware bears the seal of CompTIA Approved Quality Content. This seal signifies this content covers 100% of the exam objectives and implements important instructional design principles. CompTIA recommends multiple learning tools to help increase coverage of the learning objectives.
Why CompTIA? . Global Recognition—CompTIA is recognized globally as the leading
IT non-profit trade association and has enormous credibility. Plus, CompTIA’s certifications are vendor-neutral and offer proof of foundational knowledge that translates across technologies. . Valued by Hiring Managers—Hiring managers value CompTIA certi-
fication, because it is vendor- and technology-independent validation of your technical skills. . Recommended or Required by Government and Businesses—Many
government organizations and corporations either recommend or require technical staff to be CompTIA certified. (For example, Dell, Sharp, Ricoh, the U.S. Department of Defense, and many more.) . Three CompTIA Certifications ranked in the top 10—In a study by
DICE of 17,000 technology professionals, certifications helped command higher salaries at all experience levels.
How to obtain more information . Visit CompTIA online—www.comptia.org to learn more about getting
CompTIA certified. . Contact CompTIA—Call 866-835-8020 ext. 5 or email
[email protected]. . Join the IT Pro Community—http://itpro.comptia.org to join the IT
community to get relevant career information. . Connect with us—
Introduction Welcome to CompTIA Security+ SYO-301 Practice Questions Exam Cram. The sole purpose of this book is to provide you with practice questions and answers and explanations that will help you learn, drill, and review for the Security+ Certification (2011 Edition) exam. The book offers a large number of questions to practice each exam objective and will help you assess your knowledge before you take the real exam. The detailed answers to every question will help reinforce your knowledge about different concepts covered on the Security+ (2011 Edition) exam.
Who This Book Is For If you have studied the SY0-301 exam’s content and think you are ready to put your knowledge to the test, but you are not sure that you want to take the real exam yet, this book is for you! Maybe you have answered other practice questions or unsuccessfully taken the real exam, reviewed, and want to do more practice questions before going to take the real exam; this book is for you, too! Even when the exam is done and you have passed with flying colors and have the Security+ Certification in your pocket, keep the book handy on your desktop to look for answers to your everyday security issues.
What You Will Find in This Book This book is all about practice questions. The practice questions in the book, some very easy and others a bit more difficult (perhaps with a little complicated problem scenario, for example), are all aimed at raising your confidence level before you take the real exam. In fact, you will even find questions that you will face in real life. This book is organized according to the objectives published by CompTIA for the SY0-301: CompTIA Security+ (2011 Edition) exam (find the updated exam information at http://certification.comptia.org/Training/testingcenters/examobjectives.aspx). Each chapter corresponds to an exam domain, and in every chapter you will find the following three elements: . Practice questions: These are the numerous questions that will help
you learn, drill, and review exam objectives. All the questions in this section are multiple-choice type. Choose the correct answer based on your knowledge of security.
6
CompTIA Security+ SY0-301 Practice Questions Exam Cram
. Quick-check answer key: After you have finished answering the ques-
tions, you can quickly grade your exam from this section. Only correct answers are given in this section. No explanations are offered yet. Even if you have answered a question incorrectly, do not be discouraged. Just move on! Keep in mind that this is not the real exam. You can always review the topic and do the questions again. . Answers and explanations: This section provides you with correct
answers and further explanations about the content addressed in that question. Use this information to learn why an answer is correct and to reinforce the content in your mind for the exam day. It is not possible to reflect a real exam on a paper product. As mentioned earlier, the purpose of the book is to help you prepare for the exam, not to provide you with real exam questions. Neither the author nor the publisher can guarantee that you will pass the exam just by memorizing the practice questions in this book.
You will also find a Cram Sheet at the beginning of the book specifically written for the exam day. The Cram Sheet contains core knowledge that you need for the exam and is also found in the book CompTIA Security+ SYO-301 Exam Cram, Third Edition (ISBN: 0789748290). The Cram Sheet condenses all the necessary facts covered on the exam into an easy-to-handle tear card. It is something you can carry with you to the testing center and use as a last-second study aid. Be aware that you cannot take the Cram Sheet into the exam room, though.
Hints for Using This Book Because this book is a practice product on paper, you might want to complete your exams on a separate piece of paper so that you can reuse the exams without having previous answers in your way. Also, a general rule across all practice question products is to make sure that you are scoring well into the high 80% to 90% range on all topics before attempting the real exam. The higher percentages you score on practice question products, the better your chances for passing the real exam. Of course, we cannot guarantee a passing score on the real exam, but we can offer you plenty of opportunities to practice and assess your knowledge levels before you enter the real exam.
Introduction
7
When you have completed the exam on paper, use the companion CD to take a timed exam. Doing so will help build your confidence and help you determine whether you need to study more. Your results will indicate the exam objectives in which you need further study or hands-on practice.
Need Further Study? Are you having a hard time correctly answering these questions? If so, you probably need further review of all exam objectives. Be sure to see the following sister products to this book: CompTIA Security+ SYO-301 Exam Cram, Third Edition, by Diane Barrett, Kalani K. Hausman, Martin Weiss (ISBN: 0789748290)
This page intentionally left blank
1
CHAPTER ONE
Domain 1.0: Network Security The easiest way to keep a computer safe is by physically isolating it from outside contact. With the way organizations do business today, this is virtually impossible. We have a global economy and our networks are becoming increasingly more complex. Domain 1 of the Security+ exam requires that you are familiar with securing the devices on the network. To secure devices, you must also understand the basic security concepts of network design. Be sure to give yourself plenty of time to review all these concepts. The following list identifies the key areas from Domain 1.0 (which counts as 21% of the exam) that you need to master: . Explain the security function and purpose of network
devices and technologies . Apply and implement secure network administration
principles . Distinguish and differentiate network design elements
and compounds . Implement and use common protocols . Identify commonly used default network ports . Implement wireless network in a secure manner
10
Chapter 1
✓
Quick Check
Practice Questions Objective 1.1: Explain the security function and purpose of network devices and technologies. 1. Which of the following are functions of an intrusion detection system? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 44 Detailed Answer: 47
Prevent attacks Analyze data Identify attacks Respond to attacks
2. Which of the following best describes the difference between an intrusion detection system and a firewall?
❍
A. IDSs control the information coming in and out of the network, whereas firewalls actually prevent attacks.
❍
B. Firewalls control the information coming in and out of the network, whereas IDSs identify unauthorized activity.
❍
C. Firewalls control the information coming in and out of the network, whereas IDSs actually prevent attacks.
Quick Answer: 44 Detailed Answer: 47
❍ D. IDSs control the information coming in and out of the network, whereas firewalls identify unauthorized activity. 3. Which of the following best describes a host intrusion detection system?
❍
A. Examines the information exchanged between machines
❍ ❍
B. Attempts to prevent attacks in real-time C. Controls the information coming in and out of the network
❍ D. Collects and analyzes data that originates on the local machine
Quick Answer: 44 Detailed Answer: 47
Domain 1.0: Network Security
11
✓
Quick Check
4. Which of the following best describes a network intrusion detection system? ❍
Detailed Answer: 47
A. Examines the information exchanged between machines
❍
B. Attempts to prevent attacks in real-time
❍
C. Controls the information coming in and out of the network
❍
D. Collects and analyzes data that originates on the local machine
5. Which of the following best describes a network intrusion prevention system? ❍
A. Examines the information exchanged between machines
❍
B. Attempts to prevent attacks in real-time
❍
C. Controls the information coming in and out of the network
❍
D. Collects and analyzes data that originates on the local machine
6. Which of the following are servers that distribute IP traffic to multiple copies of a TCP/IP service and are configured in a cluster to provide scalability and high availability?
❍ ❍
Quick Answer: 44
Quick Answer: 44 Detailed Answer: 47
Quick Answer: 44 Detailed Answer: 47
A. Virtual machine hosts B. VPN Concentrators
❍ C. Storage area networks ❍ D. Load balancers 7. Which of the following is true when implementing a NIPS? (Select all correct answers.) ❍
A. The sensors must be placed on domain controllers to function properly.
❍
B. The sensors must be physically inline to function properly.
❍
C. It adds single points of failure to the network.
❍
D. It adds additional redundancy to the network.
Quick Answer: 44 Detailed Answer: 48
12
Chapter 1
✓
Quick Check
8. Which of the following best describes fail-open technology in reference to the implementation of NIPS? ❍
A. If the device fails, it provides application redundancy.
❍
B. If the device fails, it will prevents a fire from starting.
❍
C. If the device fails, it causes a complete network outage.
Quick Answer: 44 Detailed Answer: 48
❍ D. If the device fails, a complete network outage will be avoided. 9. Which of the following best describes a firewall? ❍
A. Examines the information exchanged between machines
❍
B. Attempts to prevent attacks in real-time
❍
C. Controls the information coming in and out of the network
Quick Answer: 44 Detailed Answer: 48
❍ D. Collects and analyzes data that originates on the local machine 10. Which of the following are servers that distribute IP traffic to multiple copies of a TCP/IP service and are configured in a cluster to provide scalability and high availability? ❍
Quick Answer: 44 Detailed Answer: 48
A. VPN Concentrators
❍
B. Load balancers
❍
C. Virtual machine hosts
❍ D. Storage area networks 11. Which of the following best describes a packet-filtering firewall? ❍
A. Relies on algorithms to process application layer data
❍
B. Operates at the OSI network layer
❍
C. Operates at the OSI session layer
Quick Answer: 44 Detailed Answer: 48
❍ D. Examines traffic for application layer protocols 12. Which of the following best describes a stateful-inspection firewall? ❍
A. Relies on algorithms to process application layer data
❍
B. Operates at the OSI network layer
❍
C. Operates at the OSI session layer
❍ D. Examines traffic for application layer protocols
Quick Answer: 44 Detailed Answer: 48
Domain 1.0: Network Security
13
✓
Quick Check
13. Which of the following best describes a circuit-level firewall? ❍
A. Relies on algorithms to process application layer data
❍
B. Operates at the OSI network layer
❍
C. Operates at the OSI session layer
Quick Answer: 44 Detailed Answer: 49
❍ D. Examines traffic for application layer protocols 14. Which of the following best describes an application-level firewall? ❍
A. Relies on algorithms to process application layer data
❍
B. Operates at the OSI network layer
❍
C. Operates at the OSI session layer
Quick Answer: 44 Detailed Answer: 49
❍ D. Examines traffic for application layer protocols 15. Which of the following are functions of proxy servers? (Select all correct answers.) ❍
A. Caching
❍
B. Logging
❍
C. Addressing
❍
D. Filtering
16. Which of the following are examples of a bastion host? (Select all correct answers.) ❍
A. Web server
❍
B. Email server
❍
C. Database server
❍
D. DHCP server
17. Which of the following should be implemented if the organization wants to substantially reduce Internet traffic? ❍
A. Content filter
❍
B. Proxy server
❍
C. Protocol analyzer
❍
D. Packet-filtering firewall
18. Which of the following should be implemented if the organization wants a simple, good first line of defense? ❍
A. Content filter
❍
B. Proxy server
❍
C. Protocol analyzer
❍
D. Packet-filtering firewall
Quick Answer: 44 Detailed Answer: 49
Quick Answer: 44 Detailed Answer: 49
Quick Answer: 44 Detailed Answer: 49
Quick Answer: 44 Detailed Answer: 50
14
Chapter 1
✓
Quick Check
19. Which of the following should be implemented if the organization wants to monitor unauthorized transfer of confidential information? ❍
A. Content filter
❍
B. Proxy server
❍
C. Protocol analyzer
❍
D. Packet-filtering firewall
20. Which of the following should be implemented if the organization wants to troubleshoot network issues? ❍
A. Content filter
❍
B. Proxy server
❍
C. Protocol analyzer
❍
D. Packet-filtering firewall
21. Which of the following should be implemented if the organization wants to capture proper documentation for forensic investigations and litigation purposes? ❍
Quick Answer: 44 Detailed Answer: 50
Quick Answer: 44 Detailed Answer: 50
Quick Answer: 44 Detailed Answer: 51
A. Content filter
❍
B. Proxy server
❍
C. Protocol analyzer
❍
D. Packet-filtering firewall
22. Content filtering is integrated at which of the following levels? ❍
A. Network level
❍
B. Application level
❍
C. System kernel level
❍
D. Operating system level
23. Which of the following is the biggest drawback of using content filtering? ❍
A. Network bandwidth is reduced.
❍
B. Daily updates are required.
❍
C. Terminology must be defined.
❍
D. Opens the system to DoS attacks.
Quick Answer: 44 Detailed Answer: 51
Quick Answer: 44 Detailed Answer: 51
Domain 1.0: Network Security
15
✓
Quick Check
24. Which of the following are functions of a protocol analyzer? (Select all correct answers.) ❍
A. Monitor for unexpected traffic
❍
B. Identify unnecessary protocols
❍
C. Prevent SMTP relay from being exploited
❍
D. Prevent DoS attacks by unauthorized parties
25. Which of the following is true about the use of content filtering? ❍
A. It will report all violations identified in one group of applications.
❍
B. It will report only violations identified in the specified applications.
❍
C. It will report only violations identified in one application at a time.
Quick Answer: 44 Detailed Answer: 51
Quick Answer: 44 Detailed Answer: 51
❍ D. It will report all violations identified in all applications. 26. Which of the following most accurately describes personal firewall design? ❍
A. Closes off systems by integrity checking
❍
B. Closes off systems by blocking port access
❍
C. Closes off systems by blacklisting applications
Quick Answer: 44 Detailed Answer: 52
❍ D. Closes off systems by blocking BIOS access 27. Which of the following types of detection does a host intrusion detection system use? (Select all correct answers.) ❍
A. Anomaly detection
❍
B. Misuse detection
❍
C. Blacklist detection
❍
D. Outbound detection
28. Which of the following is the most appropriate reason for firewalls to monitor outbound connections?
❍
A. To track the collection of personal data
❍
B. To track users going to inappropriate sites
❍
C. To monitor excessive user bandwidth usage
❍
D. To catch malware that transmits information
Quick Answer: 44 Detailed Answer: 52
Quick Answer: 44 Detailed Answer: 52
16
Chapter 1
✓
Quick Check
29. Which of the following best describes the characteristics of host-based IDSs? (Select all correct answers.) ❍
A. Good at detecting unauthorized user activity
❍
B. Good at detecting unauthorized file modifications
❍
C. Good at detecting denial of service attacks
Quick Answer: 44 Detailed Answer: 52
❍ D. Good at detecting unauthorized user access 30. Which of the following is the main purpose of a host-based IDS? ❍
A. Prevent attacks in real-time
❍
B. Locate packets not allowed on the network
❍
C. Proactively protect machines against attacks
Quick Answer: 44 Detailed Answer: 52
❍ D. Analyze data that originates on the local machine
Objective 1.2: Apply and implement secure network administration principles. 1. The organization requires email traffic in a DMZ segment; which of the following TCP ports will be open? (Select all correct answers.) ❍
A. 110
❍
B. 21
❍
C. 25
Quick Answer: 44 Detailed Answer: 52
❍ D. 443 2. Which of the following UDP ports must be open to allow SNMP traffic through the router? ❍
A. 161
❍
B. 162
❍
C. 443
❍
D. 4445
3. Which of the following best describes a demilitarized zone (DMZ)? ❍
A. A small network between the database servers and file servers
❍
B. A small network between the internal network and the Internet
Quick Answer: 44 Detailed Answer: 52
Quick Answer: 44 Detailed Answer: 52
Domain 1.0: Network Security
17
✓
Quick Check
❍
C. A portion of the internal network that uses web-based technologies
❍
D. A portion of the internal infrastructure used in business-to-business relationships
4. Which of the following best describes a virtual local-area network (VLAN)? ❍
A. A method to allow multiple computers to connect to the Internet using one IP address
❍
B. A method to unite network nodes physically into the same broadcast domain
❍
C. A method to split one network into two using routers to connect them together
❍
D. A method to unite network nodes logically into the same broadcast domain
5. Which of the following best describes Network Address Translation (NAT)? ❍
A. A method to allow multiple computers to connect to the Internet using one IP address
❍
B. A method to unite network nodes physically into the same broadcast domain
❍
C. A method to split one network into two using routers to connect them together
❍
D. A method to unite network nodes logically into the same broadcast domain
6. Which of the following best describes subnetting? ❍
A. A method to allow multiple computers to connect to the Internet using one IP address
❍
B. A method to unite network nodes physically into the same broadcast domain
❍
C. A method to split one network into two using routers to connect them together
❍
D. A method to unite network nodes logically into the same broadcast domain
Quick Answer: 44 Detailed Answer: 53
Quick Answer: 44 Detailed Answer: 53
Quick Answer: 44 Detailed Answer: 53
18
Chapter 1
✓
Quick Check
7. Which of the following is the most important security aspect of using Network Address Translation (NAT)? ❍
Quick Answer: 44 Detailed Answer: 53
A. It unites network nodes logically into the same broadcast domain.
❍
B. It hides the internal network from the outside world.
❍
C. It allows users to be grouped by department rather than location.
❍
D. It allows external users to access necessary information.
8. Which of the following is the most common reason networks are subnetted? ❍
A. To allow logical division on the same broadcast domain
❍
B. To hide the internal network from the outside world
❍
C. For easier application of security policies
Quick Answer: 44 Detailed Answer: 53
❍ D. To control network traffic 9. Which of the following private IP address ranges should be used for the internal network when there are 100 host systems? ❍
A. 10.x.x.x
❍
B. 172.16.x.x
❍
C. 192.168.1.x
Quick Answer: 44 Detailed Answer: 54
❍ D. 224.1.1.x 10. When a client machine receives an IP address of 169.254.0.15, it is an indication of which of the following? ❍
A. The client cannot contact the DHCP server.
❍
B. The client has a corrupt routing table.
❍
C. The client has a manually configured address.
Quick Answer: 44 Detailed Answer: 54
❍ D. The client cannot contact the DNS server. 11. Automatic Private IP Addressing (APIPA) is denoted by which of the following IP addresses? ❍
A. 192.168.1.10
❍
B. 169.254.0.5
❍
C. 224.223.10.1
❍ D. 172.16.15.84
Quick Answer: 44 Detailed Answer: 54
Domain 1.0: Network Security
19
✓
Quick Check
12. Which of the following best describes network access control (NAC)? ❍
A. A method to allow multiple computers to connect to the Internet using one IP address
❍
B. A method to split one network into two using routers to connect them together
❍
C. A method to unite network nodes logically into the same broadcast domain
Quick Answer: 44 Detailed Answer: 54
❍ D. A method of enforcement that helps ensure computers are properly configured 13. Which of the following IP address ranges can be used for the internal network when using NAT? (Select all correct answers.) ❍
A. 10.x.x.x
❍
B. 172.16.x.x
❍
C. 192.168.1.x
Quick Answer: 44 Detailed Answer: 54
❍ D. 224.1.1.x 14. Which of the following are basic components of NAC? (Select all correct answers.) ❍
A. Access requestor
❍
B. Network redirector
❍
C. Policy enforcement point
Quick Answer: 44 Detailed Answer: 54
❍ D. Policy decision point 15. Which of the following devices can be a policy enforcement point in NAC? (Select all correct answers.) ❍
A. Hub
❍
B. Switch
❍
C. Firewall
Quick Answer: 44 Detailed Answer: 55
❍ D. Router 16. Which of the following best describes the NAC method that performs an assessment as hosts come online, and then grants appropriate access? ❍
A. Inline
❍
B. Out-of-band
❍
C. Switch based
❍
D. Host based
Quick Answer: 44 Detailed Answer: 55
20
Chapter 1
✓
Quick Check
17. Which of the following is a business benefit associated with the use of NAC? (Select all correct answers.) ❍
A. Compliance
❍
B. Separation of duties
❍
C. Improved security posture
Quick Answer: 44 Detailed Answer: 55
❍ D. Operational cost management 18. Which of the following are ways to mitigate vulnerabilities associated with a PBX? (Select all correct answers.) ❍
A. Changing any default passwords that have been set
❍
B. Physically securing the area where the PBX resides
❍
C. Implementing an encryption solution
❍
D. Putting a data-validation system in place
19. Which of the following type of attack is associated with the use of a PBX? ❍
A. Man-in-the-middle
❍
B. Buffer overflows
❍
C. Denial of service
Quick Answer: 44 Detailed Answer: 55
Quick Answer: 44 Detailed Answer: 55
❍ D. Social engineering 20. Which of the following type of attack is associated with the use of VoIP? (Select all correct answers.) ❍
A. Man-in-the-middle
❍
B. Buffer overflows
❍
C. Denial of service
Quick Answer: 44 Detailed Answer: 55
❍ D. Social engineering 21. Which of the following is an inherent security risk associated with using SIP as an alternative for VoIP? ❍
A. It leaves the network open to long-distance toll fraud.
❍
B. It leaves the network open to war-dialing attacks.
❍
C. It leaves the network open to unauthorized transport of data.
❍ D. It leaves the network open to war-driving attacks.
Quick Answer: 44 Detailed Answer: 55
Domain 1.0: Network Security
21
✓
Quick Check
22. Which of the following is an inherent security risk associated with using a PBX? ❍
A. It leaves the network open to long-distance toll fraud.
❍
B. It leaves the network open to war-dialing attacks.
❍
C. It leaves the network open to unauthorized transport of data.
Quick Answer: 44 Detailed Answer: 56
❍ D. It leaves the network open to war-driving attacks. 23. Which of the following is an inherent security risk associated with using a modem pool? ❍
Quick Answer: 44 Detailed Answer: 56
A. It leaves the network open to long-distance toll fraud.
❍
B. It leaves the network open to war-dialing attacks.
❍
C. It leaves the network open to unauthorized transport of data.
❍
D. It leaves the network open to war-driving attacks.
24. Which of the following solutions can help mitigate the risks and vulnerabilities associated with VoIP? (Select all correct answers.) ❍
A. Authentication
❍
B. Setting the callback features
❍
C. Data validation
❍
D. Implementing a firewall solution
25. Which of the following solutions can help mitigate the risks and vulnerabilities associated with modems? (Select all correct answers.) ❍
A. Authentication
❍
B. Setting the callback features
❍
C. Data validation
❍
D. Implementing a firewall solution
26. Which of the following is used to prevent STP issues? ❍
A. Loop protection
❍
B. Flood guard
❍
C. Implicit deny
❍
D. Port security
Quick Answer: 44 Detailed Answer: 56
Quick Answer: 44 Detailed Answer: 56
Quick Answer: 44 Detailed Answer: 56
22
Chapter 1
✓
Quick Check
27. Which of the following is a firewall feature used to mitigate denial of service attacks? ❍
A. Loop protection
❍
B. Flood guard
❍
C. Implicit deny
❍
D. Port security
28. Which of the following is a Layer 2 traffic control feature? ❍
A. Loop protection
❍
B. Flood guard
❍
C. Implicit deny
❍
D. Port security
29. Which of the following would best mitigate the risks associated with allowing network access to a business partner? ❍
A. Log analysis
❍
B. Access Control Lists
❍
C. Network segmentation
❍
D. Proper VLAN management
30. Which of the following would be the best solution to create multiple, isolated local networks on one switch? ❍
A. Port security
❍
B. Access Control Lists
❍
C. Network segmentation
❍
D. Proper VLAN management
31. Which of the following best describes system logging? ❍
A. The process of measuring the performance of a network
❍
B. The process of collecting data to be used for monitoring
❍
C. The process of tracking users and actions on the network
Quick Answer: 44 Detailed Answer: 56
Quick Answer: 44 Detailed Answer: 57
Quick Answer: 44 Detailed Answer: 57
Quick Answer: 44 Detailed Answer: 57
Quick Answer: 44 Detailed Answer: 57
❍ D. The process of observing the state of a system 32. To get an accurate view of a network, which of the following must precede logging?
❍ ❍
A. Baselining B. Auditing
Quick Answer: 44 Detailed Answer: 57
Domain 1.0: Network Security
23
✓
Quick Check
❍ C. Monitoring ❍ D. Archiving 33. Which of the following best describes the way logging should be implemented?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 57
Only the user events should be logged. Only pertinent events should be logged. All events should be logged so nothing is missed. Nothing should be logged until there is a need for it.
34. Application logging standards should be implemented for the types of events the organization logs based on which of the following? (Select all correct answers.)
❍ ❍ ❍
Quick Answer: 44
Quick Answer: 44 Detailed Answer: 57
A. User requirements B. Vendor requirements C. Business requirements
❍ D. Regulatory requirements 35. Which of the following is pertinent in addition to reading the log files?
❍ ❍ ❍
Quick Answer: 44 Detailed Answer: 58
A. Knowing how to correlate events B. Knowing how to parse log files C. Knowing how to delete events
❍ D. Knowing how to export log files
Objective 1.3: Distinguish and differentiate network design elements and compounds. 1. Which of the following are objectives for the placement of firewalls? (Select all correct answers.) ❍
A. Identify unnecessary protocols
❍
B. Allow only traffic that is necessary
❍
C. Provide notification of suspicious behavior
❍ D. Monitor unauthorized transfer of information
Quick Answer: 45 Detailed Answer: 58
24
Chapter 1
✓
Quick Check
2. Which of the following is the most likely placement of each firewall when an organization is deploying only two of them? ❍
A. One behind the DMZ and one between the intranet and the extranet
❍
B. One in front of the DMZ and one between the intranet and the extranet
❍
C. One in front of the DMZ and one between the DMZ and the internal network
❍
D. One in front of the DMZ and one between the financial data and the user data
3. Which of the following best describes the reason packet-filtering firewalls are considered unsecure as compared to other types of firewalls? ❍
A. They allow packets regardless of communication patterns.
❍
B. Because of physical placement, they are very accessible.
❍
C. It is impossible to create a secure password for them.
❍
D. They can be compromised with very little effort.
4. Which of the following best describes why an organization would implement a proxy service firewall? ❍
A. To prevent DoS attacks by unauthorized parties
❍
B. To monitor unauthorized transfer of confidential information
❍
C. To capture proper documentation for forensic investigations
Quick Answer: 45 Detailed Answer: 58
Quick Answer: 45 Detailed Answer: 58
Quick Answer: 45 Detailed Answer: 58
❍ D. To prevent user computers from directly accessing the Internet 5. Which of the following best describes what governs the traffic of proxy service firewalls? ❍
A. Settings
❍
B. Rules
❍
C. Policies
❍
D. Guidelines
Quick Answer: 45 Detailed Answer: 58
Domain 1.0: Network Security
25
✓
Quick Check
6. Which of the following technologies would you implement when setting up a switched network and you want to group users by department? ❍
Detailed Answer: 59
A. VPN
❍
B. NAT
❍
C. VLAN
❍
D. DMZ
7. Where would an organization place a web server that needs to be accessed by both the employees and by external customers? ❍
Quick Answer: 45
Quick Answer: 45 Detailed Answer: 59
A. VPN
❍
B. NAT
❍
C. VLAN
❍
D. DMZ
8. Which of the following would an organization implement to monitor the internal network and external traffic when the source of recent security breaches is unknown? (Select all correct answers.) ❍
A. Firewall
❍
B. Content filter
❍
C. Host-based IDS
Quick Answer: 45 Detailed Answer: 59
❍ D. Network-based IDS 9. Which of the following is the most likely placement of a proxy server when a small organization is deploying it for Internet connectivity? ❍
A. On the internal network
❍
B. Between the internal network and the Internet
❍
C. Between the web server and file server
Quick Answer: 45 Detailed Answer: 59
❍ D. In parallel with IP routers 10. Which of the following is the most likely placement of a proxy server when a small organization is deploying it for content caching? ❍
A. On the internal network
❍
B. Between the internal network and the Internet
❍
C. Between the web server and file server
❍ D. In parallel with IP routers
Quick Answer: 45 Detailed Answer: 59
26
Chapter 1
✓
Quick Check
11. Which of the following is the most likely placement of a proxy server when a small organization is deploying it for both Internet connectivity and web content caching? ❍
Quick Answer: 45 Detailed Answer: 60
A. On the internal network
❍
B. Between the internal network and the Internet
❍
C. Between the web server and file server
❍ D. In parallel with IP routers 12. Which of the following is the most likely placement of a proxy server when a large organization is deploying it for Internet connectivity? ❍
A. On the internal network
❍
B. Between the internal network and the Internet
❍
C. Between the web server and file server
❍
D. In parallel with IP routers
13. Which of the following best describes the mechanics of Internet content filtering? ❍
A. Analyzes data against a database contained in the software
❍
B. Analyzes data by scanning against a vendor provided rule base
❍
C. Analyzes data against preset rules contained in the software
❍
D. Analyzes data by matching against predefined traffic patterns
14. Which of the following would be likely placements of a hardware network Internet content filtering device? (Select all correct answers.) ❍
A. Behind the proxy/NAT point
❍
B. On the individual user machines
❍
C. In a DMZ with public addresses behind a packetfiltering router
Quick Answer: 45 Detailed Answer: 60
Quick Answer: 45 Detailed Answer: 60
Quick Answer: 45 Detailed Answer: 60
❍ D. Connected to the same network segment as the users monitored 15. Which of the following is the most likely reason to place a proxy server in parallel with IP routers? ❍
A. To allow for better content caching
❍
B. To prevent direct access to the Internet
Quick Answer: 45 Detailed Answer: 60
Domain 1.0: Network Security
27
✓
Quick Check
❍
C. To allow for network load balancing
❍ D. To prevent unauthorized transfer of data 16. Which of the following are most likely placements of a network protocol analyzer? (Select all correct answers.) ❍
A. Inline
❍
B. On the outside of the DMZ
❍
C. On the outside the Internet router
Quick Answer: 45 Detailed Answer: 61
❍ D. Between the devices of the traffic capture 17. Which of the following is the most likely placement of a packetfiltering firewall? ❍
A. In the DMZ, between it and the internal network
❍
B. On the internal network between servers
❍
C. Between the Internet and the protected network
Quick Answer: 45 Detailed Answer: 61
❍ D. Securing the main perimeter 18. Which of the following is the most common unintended consequence when deploying multiple firewalls? ❍
A. Legitimate traffic gets blocked.
❍
B. Increased network latency.
❍
C. Increased attack vector.
Quick Answer: 45 Detailed Answer: 61
❍ D. Troubleshooting becomes complex. 19. Which of the following is the most likely placement of a proxy service firewall? ❍
A. In the DMZ, between it and the internal network
❍
B. On the internal network between servers
❍
C. Between the Internet and the protected network
Quick Answer: 45 Detailed Answer: 61
❍ D. Securing the main perimeter 20. Which of the following is the most likely placement of a statefulinspection firewall? ❍
A. In the DMZ, between it and the internal network
❍
B. On the internal network between servers
❍
C. Between the Internet and the protected network
❍ D. Securing the main perimeter
Quick Answer: 45 Detailed Answer: 61
28
Chapter 1
✓
Quick Check
21. Which of the following is an inherent security risk in using virtual machines? ❍
A. The BIOS can easily be compromised.
❍
B. The boot order can be easily changed.
❍
C. Security measures are nonexistent.
Quick Answer: 45 Detailed Answer: 62
❍ D. The entire machine can be compromised. 22. Which of the following would be the most effective method to protect a virtual environment hosting medical data? ❍
A. Using segmented physical hardware for the virtual servers
❍
B. Using shared physical hardware with virtual machines for testing
❍
C. Using segmented physical hardware for each virtual server
❍
D. Using shared physical hardware with virtual machines for web applications
23. Which of the following are appropriate reasons to use virtualized environments? (Select all correct answers.) ❍
A. Reduces threat risk
❍
B. Allows isolation of applications
❍
C. Reduces equipment costs
❍
D. Allows environments on USB devices
24. Which of the following controls how access to a computer’s processors and memory is shared in a virtual environment? ❍
A. BIOS
❍
B. Hypervisor
❍
C. Operating system
❍
D. Virtual machine applications
25. In which of the following ways would a forensic analyst most likely use a virtual environment? (Select all correct answers.) ❍
A. To view the environment the same way the criminal did
❍
B. To load multiple cases at once
❍
C. To image hard drives and removable media
❍
D. To examine environments that may contain malware
Quick Answer: 45 Detailed Answer: 62
Quick Answer: 45 Detailed Answer: 62
Quick Answer: 45 Detailed Answer: 62
Quick Answer: 45 Detailed Answer: 62
Domain 1.0: Network Security
29
✓
Quick Check
26. Which of the following is true in regard to a compromised virtual machine environment? ❍
A. It is contained in its own environment.
❍
B. It can provide access to the network.
❍
C. Any threat can easily be addressed by deletion.
❍
D. It can be replaced by a backup copy immediately.
27. Which of the following is true about virtual machine environments? (Select all correct answers.) ❍
Quick Answer: 45 Detailed Answer: 62
Quick Answer: 45 Detailed Answer: 63
A. They are susceptible to the same issues as a host operating system.
❍
B. They do not need antivirus or malware protection.
❍
C. They need to be patched just like host environments.
❍
D. They are contained environments that do not need patching.
28. In which of the following areas should the vulnerabilities of existing virtual environments be addressed? ❍
A. Change management policy
❍
B. Business continuity plan
❍
C. Organizational security policy
Quick Answer: 45 Detailed Answer: 63
❍ D. Disaster recovery plan 29. Which of the following are areas where virtual environments can be used to improve security? (Select all correct answers.) ❍
A. Scanning for malicious software
❍
B. Reducing internal data aggregation
❍
C. Allowing unstable applications to be isolated
Quick Answer: 45 Detailed Answer: 63
❍ D. Providing better disaster recovery solutions 30. Which of the following is the most effective method to reduce server power consumption? ❍
A. Replacing older servers with newer low-wattage servers
❍
B. Combining all physical hardware into one virtualized server
❍
C. Using segmented physical hardware for like-kind virtual servers
❍
D. Using shared physical hardware for all virtual servers
Quick Answer: 45 Detailed Answer: 63
30
Chapter 1
✓
Quick Check
31. On which of the following types of technology can virtual environments be run? (Select all correct answers.) ❍
A. Servers
❍
B. Desktops
❍
C. USB drives
Quick Answer: 45 Detailed Answer: 63
❍ D. Routers 32. Which of the following best describes a hypervisor? ❍
A. Acts as an intermediary between the kernel and the OS
❍
B. Provides multiple hardware systems to run one OS
❍
C. Acts as an intermediary between the kernel and the hardware
Quick Answer: 45 Detailed Answer: 63
❍ D. Provides more than one operating system to run on a computer 33. Security concerns of virtual environments begin with which of the following? ❍
Quick Answer: 45 Detailed Answer: 63
A. The underlying hardware
❍
B. The guest operating system
❍
C. The host operating system
❍ D. The virtual machine files 34. Which of the following is an unintended security risk in using virtual machines? ❍
Quick Answer: 45 Detailed Answer: 64
A. The BIOS can easily be compromised.
❍
B. Disaster recovery becomes more complex.
❍
C. Most virtual machines run with high privileges.
❍ D. Technology is advancing faster than security. 35. Which of the following is the most effective method to secure a virtualized environment? ❍
A. Using encryption for all communication
❍
B. Locking down the host machine as tightly as possible
❍
C. Hosting as many virtual machines per server as possible
❍ D. Segmenting by the sensitivity of the contained information
Quick Answer: 45 Detailed Answer: 64
Domain 1.0: Network Security
31
✓
Quick Check
36. Google Apps are examples of which of the following? ❍
A. SaaS
❍
B. IaaS
❍
C. PaaS
Quick Answer: 45 Detailed Answer: 64
❍ D. DaaS 37. Which of the following creates an on-demand licensing environment without the up-front costs and maintenance associated with traditional software purchases? ❍
A. SaaS
❍
B. IaaS
❍
C. PaaS
Quick Answer: 45 Detailed Answer: 64
❍ D. DaaS 38. Which of the following implementations typically have Internet connectivity, computer networking, grid computing, and hardware virtualization? ❍
Quick Answer: 45 Detailed Answer: 64
A. SaaS
❍
B. IaaS
❍
C. PaaS
❍ D. DaaS 39. Which of the following models is useful for individuals and businesses that want to have the right to access a certain application without having to purchase a full license? ❍
A. SaaS
❍
B. IaaS
❍
C. PaaS
Quick Answer: 45 Detailed Answer: 65
❍ D. DaaS 40. Which of the following methods of cloud computing allows the client to literally outsource everything that would normally be in a typical IT department? ❍
A. SaaS
❍
B. IaaS
❍
C. PaaS
❍ D. DaaS
Quick Answer: 45 Detailed Answer: 65
32
Chapter 1
✓
Quick Check
Objective 1.4: Implement and use common protocols. 1. Which of the following are the most commonly used cryptographic protocols for managing secure communication between a client and server over the Web? (Select all correct answers.) ❍
Quick Answer: 45 Detailed Answer: 65
A. SSL
❍
B. TLS
❍
C. PPTP
❍ D. WEP 2. An organization wants to use an encapsulated tunneling protocol that does not send authentication information in cleartext to support the creation of VPNs. Which of the following meets this requirement? ❍
A. HTTP
❍
B. PPTP
❍
C. MIME
Quick Answer: 45 Detailed Answer: 65
❍ D. L2TP 3. An organization wants to use a network protocol that enables the secure transfer of data from a remote client to a private enterprise server. Which of the following meets this requirement? ❍
A. HTTP
❍
B. PPTP
❍
C. MIME
Quick Answer: 45 Detailed Answer: 66
❍ D. L2TP 4. Which of the following supports on-demand, multiprotocol, and virtual private networking over public networks? ❍
A. HTTP
❍
B. PPTP
❍
C. MIME
Quick Answer: 45 Detailed Answer: 66
❍ D. L2TP 5. Which of the following cryptographic methods is used by SSH? ❍
A. RSA
❍
B. ECC
Quick Answer: 45 Detailed Answer: 66
Domain 1.0: Network Security
33
✓
Quick Check
❍
C. OTP
❍
D. PGP
6. Which of the following algorithms can SSH use for data encryption? (Select all correct answers.) ❍
A. IDEA
❍
B. Blowfish
❍
C. DES
❍
D. Diffie-Hellman
7. Which of the following secure utilities are encapsulated in the SSH suite? (Select all correct answers.) ❍
A. slogin
❍
B. rlogin
❍
C. rsh
❍
D. scp
8. Which of the following protocols does IPsec use to provide authentication services, as well as encapsulation of data? ❍
A. HTTP
❍
B. PPTP
❍
C. IKE
❍
D. PKI
9. An organization wants to use a protocol that has connectionless integrity and data origin authentication for IP packets. Which of the following meets this requirement? ❍
A. IKE
❍
B. SSH
❍
C. IP
Quick Answer: 45 Detailed Answer: 66
Quick Answer: 45 Detailed Answer: 66
Quick Answer: 45 Detailed Answer: 66
Quick Answer: 45 Detailed Answer: 67
❍ D. AH 10. If IPsec is configured to use AH only, which of the following protocol traffic must be permitted to pass through the firewall? ❍
A. Protocol 255
❍
B. Protocol 51
❍
C. Protocol 50
❍
D. Protocol 2
Quick Answer: 45 Detailed Answer: 67
34
Chapter 1
✓
Quick Check
11. If IPsec is configured to use ESP only, which of the following protocol traffic must be permitted to pass through the firewall? ❍
A. Protocol 255
❍
B. Protocol 51
❍
C. Protocol 50
❍
D. Protocol 2
12. If IPsec is configured for nested AH and ESP, IP can be configured to let only which of the following protocol’s traffic to pass through the firewall? ❍
Detailed Answer: 67
Quick Answer: 45 Detailed Answer: 67
A. Protocol 255
❍
B. Protocol 51
❍
C. Protocol 50
❍
D. Protocol 2
13. Which of the following encryption schemes does S/MIME use? ❍
A. RSA
❍
B. ECC
❍
C. OTP
❍
D. PGP
14. Which of the following protocols was developed to support connectivity for banking transactions and other secure web communications, but is not commonly used? ❍
A. HTTP
❍
B. PPTP
❍
C. S-HTTP
❍
D. S/MIME
15. Which of the following is a specification that provides email privacy using encryption and authentication via digital signatures? ❍
Quick Answer: 45
Quick Answer: 45 Detailed Answer: 67
Quick Answer: 45 Detailed Answer: 67
Quick Answer: 45 Detailed Answer: 68
A. HTTP
❍
B. PPTP
❍
C. S-HTTP
❍
D. S/MIME
16. Which of the following encrypts and decrypts email messages using asymmetric encryptions schemes such as RSA? ❍
A. S/MIME
❍
B. PGP/MIME
Quick Answer: 45 Detailed Answer: 68
Domain 1.0: Network Security
35
✓
Quick Check
❍
C. HTTP
❍ D. PPTP 17. Which of the following TLS protocols allows the client and server to authenticate to one another? ❍
A. Record protocol
❍
B. Alert protocol
❍
C. Application protocol
❍
D. Handshake protocol
18. Which of the following TLS protocols provides connection security? ❍
A. Record protocol
❍
B. Alert protocol
❍
C. Application protocol
❍
D. Handshake protocol
19. An organization is concerned about web-based connections and wants to implement encryption and authentication. Which of the following ports will the organization typically use for secured communication? ❍
A. 8080
❍
B. 80
❍
C. 443
❍
D. 445
20. An organization is concerned about the cleartext communications of a Telnet session. Which of the following will the organization implement to authenticate and encrypt the data stream? ❍
A. SSL
❍
B. TLS
❍
C. WEP
Quick Answer: 45 Detailed Answer: 68
Quick Answer: 45 Detailed Answer: 68
Quick Answer: 45 Detailed Answer: 68
Quick Answer: 45 Detailed Answer: 68
❍ D. SSH 21. Which of the following protocols supports DES, 3DES, RC2, and RSA2 encryption, along with CHAP authentication but was not widely adopted? ❍
A. S/MIME
❍
B. HTTP
❍
C. PPTP
❍ D. S-HTTP
Quick Answer: 45 Detailed Answer: 69
36
Chapter 1
✓
Quick Check
22. Which of the following is a program that uses SSH to transfer files? ❍
A. SFTP
❍
B. S/MIME
❍
C. HTTPS
Quick Answer: 45 Detailed Answer: 69
❍ D. S-HTTP 23. Which of the following is a network protocol that combines RCP and SSH but also supports file transfers? ❍
A. SFTP
❍
B. SCP
❍
C. HTTPS
Quick Answer: 45 Detailed Answer: 69
❍ D. FTPS 24. There are reports that the FTP ports that are required for contract worker functionality are inaccessible. Which of the following ports would you check? ❍
Quick Answer: 45 Detailed Answer: 69
A. 137/138/139
❍
B. 161/162
❍
C. 20/21
❍ D. 25/110/143 25. Several organizational users are experiencing network and Internet connectivity issues. Which of the following protocols would be used for troubleshooting the connectivity problems? ❍
A. SSL
❍
B. ICMP
❍
C. IPsec
Quick Answer: 45 Detailed Answer: 69
❍ D. SNMP
Objective 1.5: Identify commonly used ports. 1. Which of the following services/protocols operate on Port 22? ❍
A. DNS
❍
B. SCP
❍
C. HTTPS
❍ D. SMB
Quick Answer: 46 Detailed Answer: 70
Domain 1.0: Network Security
37
✓
Quick Check
2. Which of the following services/protocols operate on Port 443? ❍
A. DNS
❍
B. SCP
❍
C. HTTPS
Quick Answer: 46 Detailed Answer: 70
❍ D. SMB 3. Which of the following services/protocols operate on Port 53? ❍
A. DNS
❍
B. SCP
❍
C. HTTPS
Quick Answer: 46 Detailed Answer: 70
❍ D. SMB 4. Which of the following services/protocols operate on Port 445? ❍
A. DNS
❍
B. SCP
❍
C. HTTPS
Quick Answer: 46 Detailed Answer: 70
❍ D. SMB 5. Which of the following services/protocols operate on Port 23? ❍
A. SMTP
❍
B. TFTP
❍
C. Telnet
Quick Answer: 46 Detailed Answer: 70
❍ D. POP3 6. Which of the following services/protocols operate on Port 110? ❍
A. SMTP
❍
B. TFTP
❍
C. Telnet
Quick Answer: 46 Detailed Answer: 70
❍ D. POP3 7. Which of the following ports will need to be opened to allow SMTP traffic? ❍
A. 22
❍
B. 21
❍
C. 25
❍ D. 23
Quick Answer: 46 Detailed Answer: 70
38
Chapter 1
✓
Quick Check
8. Which of the following ports will need to be blocked to filter SNMP traffic? (Select two answers.) ❍
A. 161
❍
B. 1812
❍
C. 443
Quick Answer: 46 Detailed Answer: 70
❍ D. 162 9. Which of the following services/protocols operate on Port 1812? ❍
A. NetBios
❍
B. RADIUS
❍
C. Portmap
Quick Answer: 46 Detailed Answer: 70
❍ D. HTTPS 10. Which of the following ports will need to be opened to allow HTTP and HTTPS traffic? (Select two answers.) ❍
A. 110
❍
B. 80
❍
C. 443
Quick Answer: 46 Detailed Answer: 70
❍ D. 25 11. Which of the following services/protocols operate on Port 990? ❍
A. FTPS
❍
B. SCP
❍
C. HTTPS
Quick Answer: 46 Detailed Answer: 70
❍ D. SMB 12. Which of the following services/protocols operate on Port 15? ❍
Quick Answer: 46 Detailed Answer: 70
A. NetBios
❍
B. Portmap
❍
C. Telnet
❍ D. Netstat 13. Which of the following ports will need to be opened to allow incoming and outgoing email traffic? (Select two answers.) ❍
A. 443
❍
B. 110
❍
C. 23
❍ D. 25
Quick Answer: 46 Detailed Answer: 70
Domain 1.0: Network Security
39
✓
Quick Check
14. Which of the following services/protocols operate on Port 137? ❍
A. NetBios
❍
B. Portmap
❍
C. Telnet
Quick Answer: 46 Detailed Answer: 70
❍ D. Netstat 15. Which of the following services/protocols operate on Port 111? ❍
A. NetBios
❍
B. Portmap
❍
C. Telnet
Quick Answer: 46 Detailed Answer: 71
❍ D. Netstat 16. Which of the following ports will need to be blocked to filter NetBios traffic? (Select three answers.) ❍
A. 137
❍
B. 445
❍
C. 138
Quick Answer: 46 Detailed Answer: 71
❍ D. 139 17. Which of the following services/protocols operate on Port 22? (Select three answers.) ❍
A. SSH
❍
B. SCP
❍
C. SFTP
Quick Answer: 46 Detailed Answer: 71
❍ D. TFTP 18. Which of the following services/protocols operate on Port 69? ❍
A. FTP
❍
B. TFTP
❍
C. SFTP
Quick Answer: 46 Detailed Answer: 71
❍ D. SSL 19. Which of the following services/protocols operate on Port 21? ❍
A. SFTP
❍
B. SSL
❍
C. FTP
❍ D. TFTP
Quick Answer: 46 Detailed Answer: 71
40
Chapter 1
✓
Quick Check
20. Which standard port will be used to establish a web connection using the 40-bit RC4 encryption protocol? ❍
A. 110
❍
B. 445
❍
C. 138
Quick Answer: 46 Detailed Answer: 71
❍ D. 443
Objective 1.6: Implement wireless network in a secure manner. 1. Which of the following encryption standards currently is the most secure for Wi-Fi connections? ❍
Quick Answer: 46 Detailed Answer: 71
A. WAP
❍
B. WPA2
❍
C. WEP2
❍ D. WEP 2. When a client attempts to make an 802.1x-compliant connection, which of the following best describes how the AP authenticates the client? ❍
A. Users provide a shared password.
❍
B. Through hardware token authentication.
❍
C. Through a basic challenge-response method.
Quick Answer: 46 Detailed Answer: 71
❍ D. Users provide an identifier along with a password. 3. Using the Temporal Key Integrity Protocol (TKIP) or Wi-Fi Protected Access (WPA/WPA2) standards would be most useful in preventing which of the following attacks? ❍
A. Weak encryption
❍
B. Data emanation
❍
C. Bluejacking
❍
D. War-driving
Quick Answer: 46 Detailed Answer: 71
Domain 1.0: Network Security
41
✓
Quick Check
4. Which of the following is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point? ❍
Detailed Answer: 72
A. Wireless Application Environment (WAE)
❍
B. Wireless Session Layer (WSL)
❍
C. Wireless Transport Layer Security (WTLS)
❍
D. Wired Equivalent Privacy (WEP)
5. The Wi-Fi Protected Access standards were developed by the Wi-Fi Alliance to replace which of the following? ❍
Quick Answer: 46
Quick Answer: 46 Detailed Answer: 72
A. DES
❍
B. WAP
❍
C. AES
❍ D. WEP 6. Which of the following are non-vendor-specific strong authentication protocols for wireless communications? (Select two.) ❍
Detailed Answer: 72
A. EAP
❍
B. PEAP
❍
C. LEAP
❍
D. WEP
7. Which of the following reduces vulnerability to replay attacks through 128-bit keys and a 48-bit initialization vector (IV)? ❍
Quick Answer: 46
Quick Answer: 46 Detailed Answer: 72
A. WEP
❍
B. ICMP
❍
C. WPA
❍
D. CCMP
8. Which of the following combines centralized two-way authentication with dynamically generated wireless equivalent privacy keys or WEP keys? ❍
A. EAP
❍
B. PEAP
❍
C. LEAP
❍
D. WEP
Quick Answer: 46 Detailed Answer: 72
42
Chapter 1
✓
Quick Check
9. Which of the following can be used to mitigate the security risk on an antenna that is too strong? ❍
A. Antenna placement
❍
B. Power level controls
❍
C. SSID broadcast
❍
D. MAC filtering
10. Which of the following is a wireless security measure that permits and denies network access through the use of blacklists and whitelists? ❍
Detailed Answer: 72
Quick Answer: 46 Detailed Answer: 73
A. Antenna placement
❍
B. Power level controls
❍
C. SSID broadcast
❍
D. MAC filtering
11. Which of the following are ways to mitigate the vulnerabilities of wireless networks? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 46 Detailed Answer: 73
Requiring WPA2 encryption Turning off SSID broadcast Turning on DHCP on the WAP Restricting access by MAC addresses
12. Which of the following is most closely linked to packet sniffing?
❍
Quick Answer: 46
A. SSID broadcast
Quick Answer: 46 Detailed Answer: 73
❍ B. Application flaws ❍ C. Application development ❍ D. Automated attacks 13. Which of the following best describes the result of adding a MAC address to the approved list? ❍
A. It is considered part of the whitelist.
❍
B. It is considered part of the blacklist.
❍
C. It is considered part of the graylist.
❍ D. It is considered part of the brownlist.
Quick Answer: 46 Detailed Answer: 73
Domain 1.0: Network Security
43
✓
Quick Check
14. You have a network on which there are mixed vendor devices and are required to implement a strong authentication solution for wireless communications. Which of the following would best meet your requirements? (Select two.) ❍
A. PEAP
❍
B. WEP
❍
C. LEAP
Quick Answer: 46 Detailed Answer: 74
❍ D. EAP 15. Which of the following includes a packet number (PN) field and produces a message integrity code (MIC) providing data origin authentication and data integrity for the packet payload data? ❍
A. WPA
❍
B. WEP
❍
C. CCMP
❍ D. ICMP
Quick Answer: 46 Detailed Answer: 74
44
Chapter 1
Quick-Check Answer Key Objective 1.1: Explain the security function and purpose of network devices and technologies. 1. B, C, D
11. B
21. A
2. B
12. A
22. D
3. D
13. C
23. C
4. A
14. D
24. A, B
5. B
15. A, B, D
25. B
6. D
16. A, B
26. B
7. B, C
17. B
27. A, B
8. D
18. D
28. D
9. C
19. A
29. A, B
10. A
20. C
30. D
Objective 1.2: Apply and implement secure network administration principles. 1. A, C
13. A, B, C
25. B, D
2. A, B
14. A, C, D
26. A
3. B
15. B, C, D
27. B
4. D
16. B
28. D
5. A
17. A, C, D
29. C
6. C
18. A, B
30. D
7. B
19. D
31. B
8. D
20. A, B, C
32. A
9. C
21. C
33. B
10. A
22. A
34. C, D
11. B
23. B
35. A
12. D
24. A, C
Domain 1.0: Network Security
Objective 1.3: Distinguish and differentiate network design elements and compounds. 1. B, C
15. C
29. C, D
2. C
16. A, D
30. C
3. A
17. C
31. A, B, C, D
4. D
18. B
32. D
5. B
19. A
33. B
6. C
20. D
34. C
7. D
21. D
35. D
8. C, D
22. A
36. C
9. B
23. B, C
37. A
10. A
24. B
38. B
11. B
25. A, D
39. A
12. D
26. B
40. B
13. A
27. A, C
14. A, C, D
28. C
Objective 1.4: Implement and use common protocols. 1. A, B
10. B
19. C
2. D
11. C
20. D
3. B
12. B
21. D
4. B
13. A
22. A
5. A
14. C
23. B
6. A, B, C
15. D
24. C
7. A, D
16. B
25. B
8. C
17. D
9. D
18. A
45
46
Chapter 1
Objective 1.5: Identify Commonly Used Ports. 1. B
8. A, D
15. B
2. C
9. B
16. A, C, D
3. A
10. B, C
17. A, B, C
4. D
11. A
18. B
5. C
12. D
19. C
6. D
13. B, D
20. D
7. C
14. A
Objective 1.6: Implement wireless network in a secure manner. 1. B
6. A, C
11. A, B, D
2. C
7. D
12. A
3. A
8. C
13. A
4. D
9. B
14. A, D
5. D
10. D
15. C
Domain 1.0: Network Security
47
Answers and Explanations Objective 1.1: Explain the security function and purpose of network devices and technologies. 1. Answer: B, C, D. Intrusion detection systems are designed to analyze data, identify attacks, and respond to the intrusion. Answer A is incorrect because preventing attacks is associated with an intrusion prevention system. 2. Answer: B. IDSs are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. IDSs are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. Intrusion prevention differs from intrusion detection in that it actually prevents attacks instead of only detecting the occurrence of an attack. Based on this information, answers A, C, and D are incorrect. 3. Answer: D. A HIDS collects and analyzes data that originates on the local machine. Answer A is incorrect; a NIDS tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines. Answer B is incorrect; intrusion prevention differs from intrusion detection in that it actually prevents attacks in real-time instead of only detecting the occurrence. Answer C is incorrect because firewalls control the information that gets in and out of the network. 4. Answer: A. A NIDS tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines. Answer B is incorrect; intrusion prevention differs from intrusion detection in that it actually prevents attacks in real-time instead of only detecting the occurrence. Answer C is incorrect because firewalls control the information that gets in and out of the network. Answer D is incorrect; a HIDS collects and analyzes data that originates on the local machine. 5. Answer: B. Intrusion prevention differs from intrusion detection in that it actually prevents attacks in real-time instead of only detecting the occurrence. Answer A is incorrect; a NIDS tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines. Answer C is incorrect because firewalls control the information that gets in and out of the network. Answer D is incorrect; a HIDS collects and analyzes data that originates on the local machine. 6. Answer: D. Network Load Balancers are servers configured in a cluster to provide scalability and high availability. Load Balancing distributes IP traffic to multiple copies of a TCP/IP service, such as a web server, each running on a host within the cluster. Answer A is incorrect because virtual machine hosts are used to take advantage of hardware advancements. Answer B is incorrect because a VPN concentrator is used to allow multiple users to access network resources using secure features that are built in to the device and are deployed where the requirement is for a single device to handle a very large number of VPN tunnels. Answer C is incorrect because storage area networks are used to make storage devices accessible to servers so that the devices appear as locally attached.
48
Chapter 1
7. Answer: B, C. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single points of failure to the network. Answer A is incorrect because sensors are not placed on domain controllers. Answer D is incorrect because the sensors add single points of failure to the network, not redundancy. 8. Answer: D. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single points of failure to the network. A good way to prevent this issue is to use fail-open technology. This means that if the device fails, it does not cause a complete network outage; instead, it acts like a patch cable. Answer A is incorrect because fail-open has nothing to do with application redundancy. Answer B is incorrect; a NIPS fail-open has nothing to do with fire. Answer C is incorrect because it does not cause a complete network outage; instead, it acts like a patch cable. 9. Answer: C. A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can be composed of hardware, software, or a combination of both. Answer A is incorrect; a NIDS tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines. Answer B is incorrect because intrusion prevention prevents attacks in real-time instead of only detecting the occurrence. Answer D is incorrect; a HIDS collects and analyzes data that originates on the local machine. 10. Answer: A. A VPN concentrator is used to allow multiple users to access network resources using secure features that are built in to the device and are deployed where the requirement is for a single device to handle a very large number of VPN tunnels. Answer B is incorrect because Network Load Balancers are servers configured in a cluster to provide scalability and high availability. Answer C is incorrect because virtual machine hosts are used to take advantage of hardware advancements. Answer D is incorrect because storage area networks are used to make storage devices accessible to servers so that the devices appear as locally attached. 11. Answer: B. A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. Answer A is incorrect because it describes the function of a stateful-inspection firewall. A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Answer C is incorrect; a circuit-level gateway operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a l egitimate one. Answer D is incorrect. With an application-level gateway, all traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). 12. Answer: A. A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Answer B is incorrect. A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls
Domain 1.0: Network Security
49
because they still allow packets inside the network, regardless of communication pattern within the session. Answer C is incorrect; a circuit-level gateway operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one. Answer D is incorrect. With an application-level gateway, all traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). 13. Answer: C. A circuit-level gateway operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one. Answer A is incorrect. A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Answer B is incorrect; a packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. Answer D is incorrect. With an application-level gateway, all traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). 14. Answer: D. With an application-level gateway, all traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). Answer A is incorrect. A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Answer B is incorrect. A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. Answer C is incorrect; a circuit-level gateway operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one. 15. Answer: A, B, D. Proxy servers are used for security, logging, and caching. When the proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Answer C is incorrect. Addressing is a function of a DHCP server. 16. Answer: A, B. An exposed server that provides public access to a critical service, such as a web or email server, may be configured to isolate it from an organization’s network and to report attack attempts to the network administrator. Such an isolated server is referred to as a bastion host, named for the isolated towers that were used to provide castles advanced notice of pending assault. Answer C is incorrect. Database servers are generally contained on the internal network. Answer D is incorrect. DHCP servers give out IP addresses on the internal network. 17. Answer: B. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are
50
Chapter 1
faster, and traffic to the Internet is substantially reduced. Answer A is incorrect. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Answer C is incorrect. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Answer D is incorrect; a packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense. 18. Answer: D. A packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense. Answer A is incorrect. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Answer B is incorrect. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. Answer C is incorrect. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. 19. Answer: A. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Answer B is incorrect. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. Answer C is incorrect. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Answer D is incorrect; a packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense. 20. Answer: C. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Answer A is incorrect. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Answer B is incorrect. When a proxy
Domain 1.0: Network Security
51
server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. Answer D is incorrect; a packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense. 21. Answer: A. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. Because content filtering uses screen captures of each violation with time-stamped data, it provides proper documentation for forensic investigations and litigation purposes. Answer B is incorrect. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. Answer C is incorrect. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Answer D is incorrect; a packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense. 22. Answer: D. Content filtering is integrated at the operating system level so that it can monitor events such as opening files via Windows Explorer. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Based on the previous information, answers A, B, and C are incorrect because content filtering is integrated at the operating system level. 23. Answer: C. Unlike antivirus and antispyware applications, content monitoring does not require daily updates to keep the database effective and current. On the downside, content filtering needs to be “trained.” For example, to filter nonpornographic material, the terminology must be input and defined in the database. Answer A is incorrect because content filtering helps control bandwidth costs. Answer B is incorrect based on the previous stated information. Answer D is incorrect. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. This leaves the system open to DoS attacks. 24. Answer: A, B. Protocol analyzers can do more than just look at packets. They prove useful in many other areas of network management, such as monitoring the network for unexpected, unwanted, and unnecessary traffic. For example, if the network is running slowly, a protocol analyzer can tell you whether necessary protocols are running on the network. Answers C and D are incorrect; attack prevention is a function of an intrusion prevention system, not a protocol analyzer. 25. Answer: B. Content filtering will report only on violations identified in the specified applications listed for the filtering application. In other words, if the application will filter only Microsoft Office documents and a user chooses to use open Office, the content will not be filtered. Based on the preceding information, answers A, C, and D are incorrect; content filtering will report only on violations identified in the specified applications listed for the filtering application.
52
Chapter 1
26. Answer: B. Like most other solutions, firewalls have strengths and weaknesses. By design, firewalls close off systems to scanning and entry by blocking ports or nontrusted services and applications. However, they require proper configuration. Answers A and C are incorrect because they describe behaviors associated with antivirus software. Answer D is incorrect because blocking off the system through BIOS access would cause it to not boot. 27. Answer: A, B. A host intrusion detection system uses either misuse detection or anomaly detection. A HIDS monitors events for suspicious activity. This can be done by using either misuse detection or anomaly detection. In misuse detection, a database of signatures is used, and the information monitored is compared to the database. This is similar to the way antivirus software works. Answer C is incorrect because blacklists are associated with email. Answer D is incorrect because outbound monitoring is usually done by a firewall. 28. Answer: D. Monitoring outbound connections is important in the case of malware that “phones home.” Without this type of protection, the environment is not properly protected. Answer A is incorrect because behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent are associated with spyware. Answer B is incorrect because tracking users’ inappropriate site visits is associated with content filtering. Answer C is incorrect. Monitoring bandwidth usage is a function of a network tool. 29. Answer: A, B. HIDSs monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. NIDSs monitor the packet flow and try to locate packets that may have gotten through misconfigured firewalls and are not allowed for one reason or another. They are best at detecting DoS attacks and unauthorized user access. Answers C and D are incorrect because they are associated with a NIDS. 30. Answer: D. NIDSs try to locate packets not allowed on the network. HIDSs collect and analyze data that originate on the local machine or a computer hosting a service. NIDSs tend to be more distributed. Answers A, B, and C are incorrect because they describe features of a NIDS.
Objective 1.2: Apply and implement secure network administration principles. 1. Answer: A, C. Port 110 is used for POP3 incoming mail and port 25 is used for SMTP mail. Answer B is incorrect because port 21 is used for FTP. Port 443 is used by HTTPS; therefore, answer D is incorrect. 2. Answer: A, B. UDP ports 161 and 162 are used by SNMP. Answer C is incorrect because port 443 is used by HTTPS. Answer D is incorrect because port 4445 uses TCP/UDP for service type upnotifyp. 3. Answer: B. A demilitarized zone (DMZ) is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer A is incorrect it describes a separate subnetwork. Answer C is incorrect because it describes an
Domain 1.0: Network Security
53
intranet. An intranet is a portion of the internal network that uses web-based technologies. The information is stored on web servers and accessed using browsers. Answer D is incorrect because it describes an extranet. An extranet is the public portion of the company’s IT infrastructure that allows resources to be used by authorized partners and resellers that have proper authorization and authentication. This type of arrangement is commonly used for business-to-business relationships. 4. Answer: D. The purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched etwork. Answer A is incorrect because it describes NAT, which allows multiple computers to connect to the Internet using one IP address. Answer B is incorrect; a switch is used to unite network nodes physically into the same broadcast domain. Answer C is incorrect because subnetting splits one network into two or more, using routers to connect each subnet. 5. Answer: A. NAT allows multiple computers to connect to the Internet using one IP address. Answer B is incorrect; a switch is used to unite network nodes physically into the same broadcast domain. Answer C is incorrect because subnetting splits one network into two or more, using routers to connect each subnet. Answer D is incorrect because the purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network. 6. Answer: C. Subnetting splits one network into two or more, using routers to connect each subnet. Answer A is incorrect. NAT allows multiple computers to connect to the Internet using one IP address. Answer B is incorrect; a switch is used to unite network nodes physically into the same broadcast domain. Answer D is incorrect because the purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network. 7. Answer: B. Network Address Translation (NAT) acts as a liaison between an internal network and the Internet. It allows multiple computers to connect to the Internet using one IP address. An important security aspect of NAT is that it hides the internal network from the outside world. Answers A and C are incorrect because the purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network. Answer D is incorrect; a DMZ allows external users to access information that the organization deems necessary. 8. Answer: D. Subnetting can be done for several reasons. If you have a Class C address and 1,000 clients, you will have to subnet the network or use a custom subnet mask to accommodate all the hosts. The most common reason networks are subnetted is to control network traffic by limiting broadcast domains, which limits broadcast storms. Answers A and C are incorrect because the purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network. Answer B is incorrect; an important security aspect of NAT is that it hides the internal network from the outside world.
54
Chapter 1
9. Answer: C. There are specific reserved private IP addresses for use on an internal network. In a Class C network, valid nonroutable host IDs are from 192.168.0.1 to 192.168.255.254. Network addresses with the first byte between 192 and 223 are Class C and can have about 250 hosts. Answer A is incorrect because it is a Class A address. Valid host IDs are from 10.0.0.1 to 10.255.255.254. Network addresses with the first byte between 1 and 126 are Class A and can have about 17 million hosts each. Answer B is incorrect because it is a Class B address; valid host IDs are from 172.16.0.1 through 172.31.255.254. Network addresses with the first byte between 128 and 191 are Class B and can have about 65,000 hosts each. Answer D is incorrect because network addresses with the first byte between 224 and 239 are Class D and are used for multicasting. 10. Answer: A. Another address range to keep in mind when designing IP address space is Automatic Private IP Addressing (APIPA). In the event that no Dynamic Host Configuration Protocol (DHCP) server is available at the time that the client issues a DHCP lease request, the client is automatically configured with an address from the 169.254.0.1 through 169.254.255.254 range. Answer B is incorrect because if the client has a corrupt routing table, it will not be able to reach the proper destination. Answer C is incorrect because if the client has a manually configured address, it is not usually in the 169.254.x.x address range. If the client cannot contact the DNS server, the message displayed is “Cannot contact DNS server”; therefore, Answer D is incorrect. 11. Answer: B. In the event that no Dynamic Host Configuration Protocol (DHCP) server is available at the time the client issues a DHCP lease request, the client is automatically configured with an address from the 169.254.0.1 through 169.254.255.254 range. Answer A is incorrect because it is a Class C internal address. Answer C is incorrect because it is a Class D address. Answer D is incorrect because it is a Class B internal address. 12. Answer: D. One of the most effective ways to protect the network from malicious hosts is to use network access control (NAC). NAC offers a method of enforcement that helps ensure that computers are properly configured. The premise behind NAC is to secure the environment by examining the user’s machine and, based on the results, grant access accordingly. Answer A is incorrect because it describes the function of NAT. Answer B is incorrect because it describes the function of subnetting. Answer C is incorrect because it describes the function of a VLAN. 13. Answer: A, B, C. In a Class A network, valid nonroutable host IDs are from 10.0.0.1 to 10.255.255.254. In a Class B network, valid nonroutable host IDs are from 172.16.0.1 through 172.31.255.254. In a Class C network, valid nonroutable host IDs are from 192.168.0.1 to 192.168.255.254. Answer D is incorrect because network addresses with the first byte between 224 and 239 are Class D and are reserved for multicasting. 14. Answer: A, C, D. The basic components of NAC products are the Access requestor (AR), which is the device that requests access; the policy decision point (PDP), which is the system that assigns a policy based on the assessment; and the policy enforcement point (PEP), which is the device that enforces the policy. Answer B is incorrect. The network redirector, or redirector, is an operating system driver that sends data to and receives data from a remote device.
Domain 1.0: Network Security
55
15. Answer: B, C, D. The policy enforcement point is the device that enforces the policy. This device may be a switch, firewall, or router. Answer A is incorrect; a hub cannot enforce policy. 16. Answer: B. The four ways NAC systems can be integrated into the network are inline, out-of-band, switch based, and host based. An out-of-band intervenes and performs an assessment as hosts come online, and then grants appropriate access. Answer A is incorrect. An appliance in the line usually sits between the access and the distribution switches. Answer C is incorrect. Switch based is similar to in-band NAC except enforcement occurs on the switch itself. Answer D is incorrect. Host based relies on an installed host agent to assess and enforce access policy devices. 17. Answer: A, C, D. In addition to providing the capability to enforce security policy, contain noncompliant users, and mitigate threats, NAC offers a number of business benefits. The business benefits include compliance, a better security posture, and operational cost management. Answer B is incorrect. Separation of duties is one of the key concepts of internal controls. It is not a business benefit. It is the most difficult and sometimes the most costly one to achieve. 18. Answer: A, B. To protect your network, make sure the PBX is in a secure area, any default passwords have been changed, and only authorized maintenance is done. Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port. Answers C and D are incorrect because these are solutions associated with mitigating vulnerabilities associated with VoIP. 19. Answer: D. Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port. To protect your network, make sure the Private Branch Exchange (PBX) is in a secure area, any default passwords have been changed, and only authorized maintenance is done. Answer A is incorrect. Man-in-the-middle attacks are executed between the SIP phone and a SIP proxy, allowing the audio to be manipulated, causing dropped, rerouted, or playback calls. Answers B and C are incorrect; they are associated with VoIP. VoIP PBX servers are susceptible to the same type of exploits as other network servers. These attacks include DoS and buffer overflows, with DoS being the most prevalent. 20. Answer: A, B, C. Man-in-the-middle attacks are executed between the SIP phone and a SIP proxy, allowing the audio to be manipulated, causing dropped, rerouted, or playback calls. VoIP PBX servers are susceptible to the same type of exploits as other network servers. These attacks include DoS and buffer overflows, with DoS being the most prevalent. Answer D is incorrect. Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port. 21. Answer: C. Session Initiation Protocol (SIP) is commonly used in instant messaging, but it can also be used as an alternative for VoIP. Using SIP can leave VoIP networks open to unauthorized transport of data. Answer A is incorrect because long-distance toll fraud is associated with a PBX. Answer B is incorrect; war-dialing attacks take advantage of unsecure modems. Answer D is incorrect because war-driving attacks take advantage of wireless networks.
56
Chapter 1
22. Answer: A. For years, PBX-type systems have been targeted by hackers, mainly to get free long-distance service. The vulnerabilities that phone networks are subject to include social engineering, long-distance toll fraud, and breach of data privacy. Answer B is incorrect; war-dialing attacks take advantage of unsecure modems. Answer C is incorrect. Session Initiation Protocol (SIP) is commonly used in instant messaging, but it can also be used as an alternative for VoIP. Using SIP can leave VoIP networks open to unauthorized transport of data. Answer D is incorrect. War-driving is used to intercept wireless communications by driving around looking for unsecured wireless networks. 23. Answer: B. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. Answer A is incorrect because long-distance toll fraud is associated with a PBX. Answer C is incorrect; using SIP can leave VoIP networks open to unauthorized transport of data. Answer D is incorrect because war-driving attacks take advantage of wireless networks. 24. Answer: A, C. Implementing the following solutions can help mitigate the risks and vulnerabilities associated with VoIP: encryption, authentication, data validation, and nonrepudiation. VoIP is basically based on a TCP/IP network; therefore, technologies that are used to secure IP networks can be used for VoIP, too. Answer B is incorrect because callback features are associated with the use of modems. Answer D is incorrect because encryption and firewall solutions are associated with the use of cable modems. 25. Answer: B, D. Setting the callback features to have the modem call the user back at a preset number and using encryption and firewall solutions will help keep the environment safe from attacks. Answers A and C are incorrect; implementing encryption, authentication, data validation, and nonrepudiation can help mitigate the risks and vulnerabilities associated with VoIP. 26. Answer: A. The loop guard feature makes additional checks in Layer 2 switched networks. Answer B is incorrect because a flood guard is a firewall feature to control network activity associated with denial of service attacks (DoS). Answer C is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port. 27. Answer: B. A flood guard is a firewall feature to control network activity associated with denial of service attacks (DoS). Answer A is incorrect because the loop guard feature makes additional checks in Layer 2 switched networks. Answer C is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.
Domain 1.0: Network Security
57
28. Answer: D. Port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port. Answer A is incorrect because the loop guard feature makes additional checks in Layer 2 switched networks. Answer B is incorrect because a flood guard is a firewall feature to control network activity associated with denial of service attacks (DoS). Answer C is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access. 29. Answer: C. With interconnected networks, the potential for damage greatly increases because one compromised system on one network can easily spread to other networks. Networks that are shared by partners, vendors, or departments should have clear separation boundaries. Answer A is incorrect because logging is the process of collecting data to be used for monitoring and auditing purposes. Answer B is incorrect because access control generally refers to the process of making resources available to accounts that should have access, while limiting that access to only what is required. Answer D is incorrect because VLANs are a logical separation of a physical network. 30. Answer: D. VLANs provide a way to limit broadcast traffic in a switched network. This creates a boundary and, in essence, creates multiple, isolated LANs on one switch. VLANs are a logical separation of a physical network. Answer A is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port. Answer B is incorrect because access control generally refers to the process of making resources available to accounts that should have access, while limiting that access to only what is required. Answer C is incorrect. With interconnected networks, the potential for damage greatly increases because one compromised system on one network can easily spread to other networks. Networks that are shared by partners, vendors, or departments should have clear separation boundaries. 31. Answer: B. Logging is the process of collecting data to be used for monitoring and auditing purposes. Answer A is incorrect because it describes baselining. Answer C is incorrect because it describes auditing. Answer D is incorrect because it describes monitoring. 32. Answer: A. Logging procedures and evaluation are an important part of keeping your network safe. However, before you can configure logging, it is essential to identify what is typical behavior for your network. Answers B, C, and D are incorrect; all these functions are performed after logging is enabled. 33. Answer: B. When choosing what to log, be sure you choose carefully. Logs take up disk space and use system resources. They also have to be read, and if you log too much, will bog down the system; it will take a long time to weed through the log files to determine what is important. Therefore, answers A, C, and D are incorrect. 34. Answer: C, D. Standards should be implemented for the types of events you want to log based on business, technical, and regulatory requirements, and the threats the organization faces. Answer A is incorrect because although user needs should be considered, logging standards should not be based on them. Answer B is incorrect; vendor requirements have nothing to do with organizational logging standards.
58
Chapter 1
35. Answer: A. Not only do you need to read the logs, you may also have to know how to correlate events examining output. Answers B, C, and D are incorrect; they are not pertinent to being able to decipher log files.
Objective 1.3: Distinguish and differentiate network design elements and compounds. 1. Answer: B, C. The main objective for the placement of firewalls is to allow only traffic that the organization deems necessary and provide notification of suspicious behavior. Answer A is incorrect because this is the function of a protocol analyzer. Answer D is incorrect because Internet content filters monitor unauthorized transfer of confidential information. 2. Answer: C. Most organizations deploy, at a minimum, two firewalls. The first firewall is placed in front of the DMZ to allow requests destined for servers in the DMZ or to route requests to an authentication proxy. The second firewall is placed to allow outbound requests. All initial necessary connections are located on the DMZ machines. For example, a RADIUS server may be running in the DMZ for improved performance and enhanced security, even though its database resides inside the company intranet. Answer A is incorrect; the first firewall should be deployed in front of the DMZ, not behind it. Answer B is incorrect; although the extranet would be located in the DMZ, and the intranet is located on the internal network, it is between the DMZ and the internal network where the firewall should be placed. Answer D is incorrect; although you may have a firewall between the user data and financial data, if you are deploying only two, the second one should go between the DMZ and the internal network. 3. Answer: A. A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the Open Systems Interconnection (OSI) model. Packet-filtering solutions are generally considered less secure firewalls because they still allow packets inside the network, regardless of communication patterns within the session. Answer B is incorrect; all firewalls should be physically secure. Answer C is incorrect because secure passwords for firewalls can easily be created. Answer D is incorrect because compromising a secure router takes quite a bit of effort. 4. Answer: D. Proxy service firewalls are go-betweens for the network and the Internet. They can be used to hide the internal addresses from the outside world through NAT. This does not allow the computers on the network to directly access the Internet. Answer A is incorrect because it describes the function of an intrusion detection system. Answers B and C are incorrect because they describe functions associated with an Internet content filtering system, not a proxy service firewall. 5. Answer: B. Proxy service firewalls are go-betweens for the network and the Internet. They hide the internal addresses from the outside world and don’t allow the computers on the network to directly access the Internet. This type of firewall has a set of rules that the packets must pass to get in or out. Because the firewall check traffic against a set of rules, setting, policies, and guidelines are incorrect. Therefore, answers A, C, and D are incorrect.
Domain 1.0: Network Security
59
6. Answer: C. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer A is incorrect because a virtual private network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer B is incorrect because NAT acts as a liaison between an internal network and the Internet. Answer D is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. 7. Answer: D. A DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer A is incorrect because a virtual private network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer B is incorrect because NAT acts as a liaison between an internal network and the Internet. Answer C is incorrect. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. 8. Answer: C, D. Because you want to monitor both types of traffic, the IDSs should be used together. Network-based intrusion detection systems monitor the packet flow and try to locate packets that are not allowed for one reason or another and may have gotten through the firewall. Host-based intrusion detection systems monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. A firewall protects computers and networks from undesired access by the outside world; therefore, answer A is incorrect. Answer B is incorrect because Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. Because content filtering uses screen captures of each violation with time-stamped data, it provides proper documentation for forensic investigations and litigation purpose. 9. Answer: B. Proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. Answer A is incorrect; proxy servers are usually placed internally for web content caching. Answer C is incorrect. A firewall is usually placed between a web server and an internal file server. Answer D is incorrect. In some proxy server designs, such as for a large organization, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. 10. Answer: A. Proxy servers are usually placed internally for web content caching. Answer B is incorrect; proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. Answer C is incorrect. A firewall is usually placed between a web server and an internal file server. Answer D is incorrect. In some proxy server designs, such as for a large organization, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router.
60
Chapter 1
11. Answer: B. Proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. Answer A is incorrect; proxy servers are usually placed internally for web content caching. Answer C is incorrect. A firewall is usually placed between a web server and an internal file server. Answer D is incorrect. In some proxy server designs, such as for a large organization, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. 12. Answer: D. In some proxy server designs, such as for a large organization, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. Answer A is incorrect; proxy servers are usually placed internally for web content caching. Answer C is incorrect. A firewall is usually placed between a web server and an internal file server. Answer B is incorrect. Proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. 13. Answer: A. Internet content filtering works by analyzing data against a database contained in the software. Content filtering reports only on violations identified in the specified applications listed for the filtering application. In other words, if the application will only filter Microsoft Office documents and a user chooses to use Open Office, the content will not be filtered. Answers B and C are incorrect; they describe functions associated with firewalls. Answer D is incorrect; analyzing traffic patterns is associated with an intrusion detection systems. 14. Answer: A, C, D. Network Internet content filters can be hardware or software. Many network solutions combine both. Hardware appliances are usually connected to the same network segment as the users they will monitor. Other configurations include being deployed behind a firewall or in a DMZ, with public addresses behind a packetfiltering router. These appliances use access control filtering software on the dedicated filtering appliance. The device monitors every packet of traffic that passes over a network. Answer B is incorrect; network Internet content filters would not be placed on the individual systems. If this were true, they would become host-based content filters. 15. Answer: C. In some proxy server designs, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. Answer A is incorrect; proxy servers are usually placed internally for content caching not in parallel with IP routers. Answer B is incorrect; proxy servers can be placed between the private network and the Internet for Internet connectivity. Answer D is incorrect because it describes Internet content filters. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information.
Domain 1.0: Network Security
61
16. Answer: A, D. Protocol analyzers can be placed inline or in between the devices from which you want to capture the traffic. If you are analyzing SAN traffic, the analyzer can be placed outside the direct link with the use of an optical splitter. The analyzer is placed to capture traffic between the host and the monitored device. Answers B and C are incorrect because protocol analyzers are used to troubleshoot internal network issues; therefore, they would not be placed outside the network. 17. Answer: C. A packet-filtering firewall is best suited for simple networks or used to protect a network that is used mainly for Internet access. The placement of a packetfiltering firewall is between the Internet and the protected network. It filters all traffic entering or leaving the network. Answer A is incorrect because proxy service firewalls allow organizations to offer services securely to Internet users. All servers hosting public services are placed in the demilitarized zone (DMZ) with the proxy firewall between the DMZ and the internal network. Answer B is incorrect. Firewalls are not usually placed in between servers on the internal network; VLANs are used to separate resources. Answer D is incorrect because a stateful-inspection firewall is suited for main perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested. 18. Answer: B. When deploying multiple firewalls, you might experience network latency. If you do, check the placement of the firewalls and possibly reconsider the topology to be sure you get the most out of the firewalls. Answer A is incorrect. If the access lists are configured correctly, legitimate traffic should not be blocked. This is true whether you are using 1 firewall or 10 firewalls. Answer C is incorrect; using multiple firewalls will reduce the attack vector, not increase it. Answer D is incorrect. Troubleshooting should become less complex because each firewall is configured for the traffic it will filter. 19. Answer: A. Proxy service firewalls allow organizations to offer services securely to Internet users. All servers hosting public services are placed in the demilitarized zone (DMZ) with the proxy firewall between the DMZ and the internal network. Answer B is incorrect. Firewalls are not usually placed in between servers on the internal network; VLANs are used to separate resources. Answer C is incorrect because a packet-filtering firewall is best suited for simple networks or used to protect a network that is used mainly for Internet access. The placement of a packet-filtering firewall is between the Internet and the protected network. It filters all traffic entering or leaving the network. Answer D is incorrect because a stateful-inspection firewall is suited for main perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested. 20. Answer: D. A stateful-inspection firewall is suited for main perimeter security. Statefulinspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested. Answer A is incorrect because proxy service firewalls allow organizations to offer services securely to Internet users. All servers hosting public services are placed in the demilitarized zone (DMZ) with the proxy firewall between the DMZ and the internal network. Answer B is incorrect. Firewalls are not usually placed in between servers on the internal network; VLANs are used to separate resources. Answer C is incorrect because a packet-filtering firewall is best suited for simple networks or used to protect a network that is used mainly for Internet access. The placement of a packet-filtering firewall is between the Internet and the protected network. It filters all traffic entering or leaving the network.
62
Chapter 1
21. Answer: D. If attackers can compromise the virtual machines, they will likely have control of the entire machine. Most virtual machines run with very high privileges on the host because a virtual machine needs access to the host’s hardware so that it can map the physical hardware into virtualized hardware. Answer A is incorrect because although compromising the BIOS is possible, the inherent risk is to the other environments. Answer B is incorrect because physical access is usually required to change the boot order. Answer C is incorrect because virtual environments can be secured. 22. Answer: A. Segmenting virtual machines by the information they handle will keep highly sensitive data from being on the same physical hardware as virtual machines used for testing or lower security applications. The organization should have a policy in place that states that high-security virtual machines containing vital information never share the same hardware as virtual machines for testing. Answers B and D are incorrect because the environments the virtual machines will be shared with are less secure. Answer C is incorrect because this defeats the purpose of using virtual environments. 23. Answer: B, C. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and providing better disaster recovery solutions. Virtual environments are used for cost-cutting measures, too. One well-equipped server can host several virtual servers. This reduces the need for power and equipment. Forensic analysts often use virtual environments to examine environments that may contain malware or as a method of viewing the environment the same way the criminal did. Answer A is incorrect because virtualized environments, if compromised, can provide access to not only the network, but also any virtualization infrastructure. This puts a lot of data at risk. Answer D is incorrect because the ability to store environments on USB devices puts data at risk. 24. Answer: B. The hypervisor controls how access to a computer’s processors and memory is shared. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time. Answer A is incorrect. The BIOS holds information necessary to boot the computer. Answer C is incorrect. The operating system interfaces between the hardware and the user and provides an environment for programs and applications to run. Answer D is incorrect because it is the hypervisor, not the virtual machine applications, that controls how the virtual environment uses the host resources. 25. Answer: A, D. Forensic analysts often use virtual environments to examine environments that may contain malware or as a method of viewing the environment the same way the criminal did. Answer B is incorrect. It is not good forensic practice to load multiple cases on one machine, virtual or real. Answer C is incorrect because imaging hard drive and removable media should be done using a write-blocker to avoid data alteration. 26. Answer: B. Virtualized environments, if compromised, can provide access to not only the network, but also any virtualization infrastructure. This puts a lot of data at risk. Security policy should address virtual environments. Answer A is incorrect. It is possible that other virtual machines have been compromised, too. Answers C and D are incorrect because deleting the virtual machine or replacing it by a backup copy will not guarantee that the rest of the machine or network has not been compromised.
Domain 1.0: Network Security
63
27. Answer: A, C. Vulnerabilities also come into play in virtual environments. For example, a few years ago, VMware’s NAT service had a buffer-overflow vulnerability that allowed remote attackers to execute malicious code by exploiting the virtual machine itself. Virtual machine environments need to be patched just like host environments and are susceptible to the same issues as a host operating system. You should be cognizant of share files among guest and host operating systems. Answers B and D are incorrect because virtual machines need to be patched just like host environments and are susceptible to the same issues as a host operating system, including malware infection. 28. Answer: C. Security policy should address virtual environment vulnerabilities. Any technology software without a defined business need should not be allowed on systems. This applies to all systems, including virtual environments. Answer A is incorrect because change management policy deals with how environmental changes are addressed. Answer B is incorrect because business continuity planning addresses how a business will survive in the long term after a mishap. Answer D is incorrect because disaster recovery planning deals with how the organization will react to a disaster. 29. Answer: C, D. Hardware vendors are rapidly embracing virtualization and developing new features to simplify virtualization techniques. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and providing better disaster recovery solutions. Answer A is incorrect because virtual environments do not scan for viruses. Answer B is incorrect virtual environments have nothing to do with reducing data aggregation. Data aggregation is used to gather statistics about user habits mostly for online advertising purposes. 30. Answer: C. With more emphasis being placed on going green and power becoming more expensive, virtualization offers cost benefits by decreasing the number of physical machines required within an environment; however, the security of the VMs must be considered. Segmenting virtual machines by the information they handle will keep highly sensitive data from being on the same physical hardware as virtual machines used for testing or lower security applications. The organization should have a policy in place that states that high-security virtual machines containing vital information never share the same hardware as virtual machines for testing. Answer A is incorrect because although replacing the servers may reduce the power consumption, it will be costly. Answer B is incorrect. Combining all physical hardware into one virtual server might not even be possible, and there is no guarantee this will not create additional issues. Answer D is incorrect because it does not take the security of the data into consideration. 31. Answer: A, B, C, D. Virtual environments are available to run on just about everything from servers and routers to USB thumb drives. 32. Answer: D. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time. Answers A and C are incorrect because hypervisors do not interact with the OS kernel. Answer B is incorrect. This describes a mainframe environment. 33. Answer: B. The security concerns of virtual environments begin with the guest operating system. If a virtual machine is compromised, an intruder can gain control of all the guest operating systems. In addition, because hardware is shared, most virtual machines run with very high privileges. This can allow an intruder who compromises a
64
Chapter 1
virtual machine to compromise the host machine, too. Answer A is incorrect because the underlying hardware security will be affected only if the guest operating system is compromised. Answer C is incorrect. Although the host operating system needs to be secure, the immediate concerns are with the guest operating system. Answer D is incorrect. The virtual machine files are what make up the virtual machine and are part of the way the environment loads. 34. Answer: C. The security concerns of virtual environments begin with the guest operating system. If a virtual machine is compromised, an intruder can gain control of all the guest operating systems. In addition, because hardware is shared, most virtual machines run with very high privileges. This can allow an intruder who compromises a virtual machine to compromise the host machine, too. Answer A is incorrect because although compromising the BIOS is possible, the unintended risk is the high privileges needed to run the virtual environment. Answer B is incorrect because disaster recovery is easier using virtual machines. Answer D is incorrect because although technology advances quite rapidly, virtual environments can be secured. 35. Answer: D. To secure a virtualized environment, machines should be segmented by the sensitivity of the information they contain. A policy should be in place that specifies that hardware is not shared for test environments and sensitive data. Answer A is incorrect because although encryption is a viable solution, it might not be possible and is not always the correct solution for an organization. Answer B is incorrect. Although the host operating system needs to be secure, the immediate concerns are with the guest operating systems. Answer C is incorrect because high-security virtual machines containing vital information should never share the same hardware as virtual machines for testing. 36. Answer: C. Platform-as-a-Service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation. Answer A is incorrect. Software-as-a-Service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Answer B is incorrect because Infrastructure-as-a-Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. Answer D is incorrect because Desktop-as-a-Service (DaaS), also called virtual desktop or hosted desktop services, is the outsourcing of a virtual desktop infrastructure (VDI) to a third-party service provider. 37. Answer: A. Software-as-a-Service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Answer B is incorrect because Infrastructure-as-a-Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. Answer C is incorrect. Platform-as-a-Service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation. Answer D is incorrect because Desktop-as-a-Service (DaaS), also called virtual desktop or hosted desktop services, is the outsourcing of a virtual desktop infrastructure (VDI) to a third-party service provider. 38. Answer: B. Infrastructure-as-a-Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. This method of cloud computing allows the client to literally outsource everything that would normally be in a typical IT
Domain 1.0: Network Security
65
department. Answer A is incorrect because Software-as-a-Service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Answer C is incorrect. Platform-as-a-Service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation. Answer D is incorrect because Desktop-as-a-Service (DaaS), also called virtual desktop or hosted desktop services, is the outsourcing of a virtual desktop infrastructure (VDI) to a third-party service provider. 39. Answer: A. Software-as-a-Service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Answer B is incorrect because Infrastructure-as-a-Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. Answer C is incorrect. Platform-as-a-Service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation. Answer D is incorrect because Desktop-as-a-Service (DaaS), also called virtual desktop or hosted desktop services, is the outsourcing of a virtual desktop infrastructure (VDI) to a third-party service provider. 40. Answer: B. Infrastructure-as-a-Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. This method of cloud computing allows the client to literally outsource everything that would normally be in a typical IT department. Answer A is incorrect because Software-as-a-Service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Answer C is incorrect. Platform-as-a-Service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation. Answer D is incorrect because Desktop-as-a-Service (DaaS), also called virtual desktop or hosted desktop services, is the outsourcing of a virtual desktop infrastructure (VDI) to a third-party service provider.
Objective 1.4: Implement and use common protocols. 1. Answer: A, B. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most widely used cryptographic protocols for managing secure communication between a client and server over the Web. Both essentially serve the same purpose with TLS being the successor to SSL. Answer C is incorrect; Point-to-Point Tunneling Protocol (PPTP) is not cryptographic. Answer D is incorrect because Wired Equivalent Privacy (WEP) is inherently unsecure and is not used specifically for client/server connections. 2. Answer: D. Layer 2 Tunneling Protocol (L2TP) is an encapsulated tunneling protocol often used to support the creation of virtual private networks (VPNs). Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for web-based communications. Answer B is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a
66
Chapter 1
private enterprise server. PPTP sends authentication information in cleartext. Answer C is incorrect because Multipurpose Internet Mail Extensions (MIME) is used in email communications. 3. Answer: B. Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for web-based communications. Answer C is incorrect because Multipurpose Internet Mail Extensions (MIME) is used in email communications. Answer D is incorrect; Layer 2 Tunneling Protocol (L2TP) is an encapsulated tunneling protocol, not a network protocol. 4. Answer: B. Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, and virtual private networking over public networks, such as the Internet. Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for web-based communications. Answer C is incorrect because Multipurpose Internet Mail Extensions (MIME) is used in email communications. Answer D is incorrect. Layer 2 Tunneling Protocol (L2TP) is an encapsulated tunneling protocol, not a network protocol. 5. Answer: A. Secure Shell (SSH) utilizes the asymmetric (public key) Rivest, Shamir, Adleman (RSA) cryptography method to provide both connection and authentication. Answer B is incorrect; Elliptic Curve Cryptography (ECC) techniques utilize a method in which elliptic curves could be used to calculate simple, but very difficult to break, encryption keys to use in general purpose encryption. Answer C is incorrect. One-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable. Answer D is incorrect; Pretty Good Privacy (PGP) was originally designed to provide for the encryption/decryption of email, as well as for digitally signing emails. 6. Answer: A, B, C. Data encryption with SSH is accomplished using one of the following algorithms: International Data Encryption Algorithm (IDEA), Blowfish, or Data Encryption Standard (DES). Answer D is incorrect because Diffie-Hellman is a mathematical algorithm that allows two computers to generate an identical shared secret on both systems, even though those systems may never have communicated with each other before. 7. Answer: A, D. Secure Shell (SSH) provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a Telnet session. The SSH suite encapsulates three secure utilities: slogin, ssh, and scp. Answers B and C are incorrect because rlogin and rsh are earlier nonsecure UNIX utilities. 8. Answer: C. IPsec provides authentication services, as well as encapsulation of data through support of the Internet Key Exchange (IKE) protocol. Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for web-based communications. Answer B is incorrect. Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise
Domain 1.0: Network Security
67
server by creating a virtual private network (VPN) across TCP/IP-based data networks. Answer D is incorrect; a public key infrastructure (PKI) is a vast collection of varying technologies and policies for the creation and use of digital certificates. 9. Answer: D. Authentication Header (AH) provides connectionless integrity and data origin authentication for IP packets. Answer A is incorrect because the Internet Key Exchange (IKE) protocol provides for additional features and ease of configuration. IKE specifically provides authentication for IPsec peers and negotiates IPsec keys and security associations. Answer B is incorrect because Secure Shell (SSH) provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a Telnet session. Answer C is incorrect; Internet Protocol (IP) is part of the TCP/IP suite. 10. Answer: B. If IPsec is configured to do authentication header only (AH), you must permit protocol 51 traffic to pass through the stateful firewall or packet filter. Answer A is incorrect; Protocol 255 is an Internet Assigned Numbers Authority (IANA) reserved value. Answer C is incorrect; in an IP header, ESP can be identified as IP protocol number 50. Answer D is incorrect. Protocol 2 is Internet Group Management (IGMP). 11. Answer: C. Encapsulating Security Payload (ESP) provides encryption and limited traffic flow confidentiality, or connectionless integrity, data origin authentication, and an anti-replay service. In an IP header, ESP can be identified as IP protocol number 50. Answer A is incorrect; Protocol 255 is a IANA reserved value. Answer B is incorrect; Authentication Header (AH) provides connectionless integrity and data origin authentication for IP packets. In an IP header, AH can be identified as IP protocol number 51. Answer D is incorrect. Protocol 2 is Internet Group Management (IGMP). 12. Answer: B. If IPsec uses nested Authentication Header (AH) and Encapsulating Security Payload (ESP), IP can be configured to let only protocol 51 (AH) traffic pass through the stateful firewall or packet filter. Answer A is incorrect. Protocol 255 is an Internet Assigned Numbers Authority (IANA) reserved value. Answer C is incorrect; IP can be configured to let only protocol 51 (AH) traffic pass. Answer D is incorrect. Protocol 2 is Internet Group Management (IGMP). 13. Answer: A. S/MIME utilizes the Rivest, Shamir, Adleman (RSA) asymmetric encryption scheme to encrypt electronic mail transmissions over public networks. Answer B is incorrect; Elliptic Curve Cryptography (ECC) techniques utilize a method in which elliptic curves could be used to calculate simple, but very difficult to break, encryption keys to use in general-purpose encryption. Answer C is incorrect. One-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable. Answer D is incorrect; Pretty Good Privacy (PGP) was originally designed to provide for the encryption/decryption of email, as well as for digitally signing emails. 14. Answer: C. An alternative to HTTPS is the Secure Hypertext Transport Protocol (SHTTP), which was developed to support connectivity for banking transactions and other secure web communications. Answer A is incorrect because HTTP is used for unsecured web-based communications. Answer B is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. Answer D is incorrect. S/MIME is used to encrypt electronic mail transmissions over public networks.
68
Chapter 1
15. Answer: D. S/MIME utilizes the Rivest, Shamir, Adleman (RSA) asymmetric encryption scheme to encrypt electronic mail transmissions and provides email privacy using encryption and authentication via digital signatures s. Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for unsecured web-based communications. Answer B is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. Answer C is incorrect. An alternative to HTTPS is the Secure Hypertext Transport Protocol (S-HTTP), which was developed to support connectivity for banking transactions and other secure web communications. 16. Answer: B. PGP/MIME derives from the Pretty Good Privacy application and is an alternative to S/MIME. Basically, it encrypts and decrypts email messages using asymmetric encryptions schemes such as RSA. Answer A is incorrect; Multipurpose Internet Mail Extensions (MIME) does not encrypt email. MIME extends the original Simple Mail Transfer Protocol (SMTP) to allow the inclusion of nontextual data within an email message. Answer C is incorrect because Hypertext Transfer Protocol (HTTP) is used for unsecured web-based communications. Answer D is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. 17. Answer: D. Transport Layer Security (TLS) consist of two additional protocols: the TLS record protocol and the TLS handshake protocol. The handshake protocol allows the client and server to authenticate to one another and the record protocol provides connection security. Therefore, answer A is incorrect. Answer B is incorrect; the alert protocol is used to signal errors. Answer C is incorrect; application protocol is a generic term that can be used to describe TLS. 18. Answer: A. Transport Layer Security (TLS) consist of two additional protocols: the TLS record protocol and the TLS handshake protocol. The handshake protocol allows the client and server to authenticate to one another and the record protocol provides connection security; therefore, answer D is incorrect. Answer B is incorrect; the alert protocol is used to signal errors. Answer C is incorrect; application protocol is a generic term that can be used to describe TLS. 19. Answer: C. Hypertext Transfer Protocol Secure (HTTPS) traffic typically occurs over port 443. Answer A is incorrect; port 8080 is a popular alternative to port 80 for offering web services. Answer B is incorrect; the default port for unencrypted HTTP traffic is port 80. Answer D is incorrect; TCP port 445 is used for Server Message Block (SMB) over TCP. 20. Answer: D. Secure Shell (SSH) provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a Telnet session. Answers A and B are incorrect; Secure Socket Layer (SSL) and Transport Layer Security (TLS) are best known for protecting Hypertext Transfer Protocol (HTTP) web traffic and transactions, commonly known as Hypertext Transfer Protocol over SSL (HTTPS), which is a secure HTTP connection. Answer C is incorrect; Wired Equivalent Privacy (WEP) uses the RC4 cipher for confidentiality of wireless communications.
Domain 1.0: Network Security
69
21. Answer: D. An alternative to HTTPS is the Secure Hypertext Transport Protocol (S-HTTP), which was developed to support connectivity for banking transactions and other secure web communications. Answer A is incorrect. S/MIME is used to encrypt electronic mail transmissions over public networks. Answer B is incorrect because HTTP is used for unsecured web-based communications. Answer C is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. 22. Answer: A. SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. Answer B is incorrect. S/MIME is used to encrypt electronic mail transmissions over public networks. Answer C is incorrect because HTTPS is used for secured web-based communications. Answer D is incorrect because S-HTTP is an alternative to HTTPS, which was developed to support connectivity for banking transactions and other secure web communications. 23. Answer: B. The Secure Copy Protocol (SCP) is a network protocol that supports file transfers. SCP is a combination of RCP and SSH. It uses the BSD RCP protocol tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. Answer A is incorrect because SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. Answer C is incorrect because HTTPS is used for secured web-based communications. Answer D is incorrect. FTPS, also known as FTP Secure and FTP-SSL, is an FTP extension that adds support for TLS and SSL. 24. Answer: C. Ports 20 and 21 are used for FTP. Answer A is incorrect because these NetBIOS ports that are required for certain Windows network functions such as file sharing. Answer B is incorrect because these ports are used for SNMP. Answer D is incorrect because these ports are used for email. 25. Answer: B. Traceroute uses an ICMP echo request packet to find the path between two addresses. Answer A is incorrect because SSL is a public key based security protocol that is used by Internet services and clients for authentication, message integrity, and confidentiality. Answer C is incorrect because Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. Answer D is incorrect because SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices such as uninterruptible power.
70
Chapter 1
Objective 1.5: Identify commonly used ports. 1. Answer: B. SCP operates on Port 22. Answer A is incorrect because DNS used port 53. Answer C is incorrect because HTTPS uses port 443. Answer D is incorrect because SMB uses port 445. 2. Answer: C. HTTPS uses port 443. Answer A is incorrect because DNS used port 53. Answer B is incorrect because SCP operates on Port 22. Answer D is incorrect because SMB uses port 445. 3. Answer: A. DNS used port 53. Answer B is incorrect because SCP operates on Port 22. Answer C is incorrect because HTTPS uses port 443. Answer D is incorrect because SMB uses port 445. 4. Answer: D. SMB uses port 445. Answer A is incorrect because DNS used port 53. Answer B is incorrect because SCP operates on Port 22. Answer C is incorrect because HTTPS uses port 443. 5. Answer: C. Telnet uses port 23. Answer A is incorrect because SMTP uses port 25. Answer B is incorrect because TFTP uses port 69. Answer D is incorrect because POP3 uses port 110. 6. Answer: D. POP3 uses port 110. Answer A is incorrect because SMTP uses port 25. Answer B is incorrect because TFTP uses port 69. Answer C is incorrect because Telnet uses port 23. 7. Answer: C. SMTP uses Port 25. Answer A is incorrect because FTP uses port 21. Answer B is incorrect because SSH/SFTP/SCP all use port 22. Answer D is incorrect because Telnet uses port 23. 8. Answer: A, D. SNMP uses ports 161/162. Answer B is incorrect because RADIUS uses port 1812. Answer C is incorrect because HTTPS uses port 443. 9. Answer: B. RADIUS uses port 1812. Answer A is incorrect because NetBios uses ports 137/138/139. Answer C is incorrect because Portmap uses port 111. Answer D is incorrect because HTTPS uses port 443. 10. Answer: B, C. HTTP uses port 80 and HTTPS uses port 443. Answer A is incorrect because POP3 uses port 110. Answer D is incorrect because SMTP uses port 25. 11. Answer: A. FTPS uses port 990. Answer B is incorrect because SCP uses port 22. Answer C is incorrect because HTTPS uses port 443. Answer D is incorrect because SMB uses port 445. 12. Answer: D. Netstat uses port 15. Answer A is incorrect because NetBios uses ports 137/138/139. Answer B is incorrect because Portmap uses port 111. Answer C is incorrect because Telnet uses port 23. 13. Answer: B, D. POP3 uses port 110 and SMTP uses port 25. Answer A is incorrect because HTTPS uses port 443. Answer C is incorrect because Telnet uses port 23. 14. Answer: A. NetBios uses ports 137/138/139. Answer B is incorrect because Portmap uses port 111. Answer C is incorrect because Telnet uses port 23. Answer D is incorrect because Netstat uses port 15.
Domain 1.0: Network Security
71
15. Answer: B. Portmap uses port 111. Answer A is incorrect because NetBios uses ports 137/138/139. Answer C is incorrect because Telnet uses port 23. Answer D is incorrect because Netstat uses port 15. 16. Answer: A, C, D. NetBios uses ports 137/138/139. Answer B is incorrect because SMB uses port 445. 17. Answer: A, B, C. SSH/SFTP/SCP all use port 22. Answer D is incorrect because TFTP uses port 69. 18. Answer: B. TFTP uses port 69. Answer A is incorrect because FTP uses port 21. Answer C is incorrect because SFTP uses port 22. Answer D is incorrect because SSL uses port 443. 19. Answer: C. FTP uses port 21. Answer A is incorrect because SFTP uses port 22. Answer B is incorrect because SSL uses port 443. Answer D is incorrect because TFTP uses port 69. 20. Answer: D. A connection using the HTTP protocol over SSL (HTTPS) will be made using the RC4 cipher and will be made using port 443. Answer A is incorrect because port 110 is used for POP3 connections. Answer B is incorrect because port 445 is used for SMB. Answer C is incorrect because port 138 is used for NetBIOS.
Objective 1.6: Implement wireless network in a secure manner. 1. Answer: B. The WPA2 standard implements the 802.11i-2004 protocols and is currently the highest standard for Wi-Fi communication security. Answer A is incorrect because a WAP refers to both handheld devices as well as wireless access points. Answer C is incorrect because WEP2 is a stopgap enhancement to WEP present in some of the early 802.11i drafts. Answer D is incorrect because the WEP standard was proven to be unsecure and has been replaced by the newer WPA standards. 2. Answer: C. When a client attempts to make an 802.1x-compliant connection, the client attempts to contact a wireless access point (AP). The AP authenticates the client through a basic challenge-response method, and then provides connectivity to a wired network or serves as a bridge to a secondary wireless AP. Answers A and D are incorrect because there is no user interaction in the authentication process. Answer B is incorrect because a hardware token is a security token that is used in multifactor authentication. It has nothing to do with how a client authenticates to a WAP. 3. Answer: A. New standards that involve time-changing encryption keys , such as the Temporal Key Integrity Protocol (TKIP) and Wi-Fi Protected Access (WPA/WPA2) standard may help with weak key encryption. Answer B is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures. Answer C is incorrect. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message
72
Chapter 1
broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. D is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. 4. Answer: D. WEP is the most basic form of encryption that can be used on 802.11based wireless networks to provide privacy of data sent between a wireless client and its access point. Answer A is incorrect. Wireless Application Environment (WAE) specifies the framework used to develop applications for mobile devices, including cell phones, data pagers, and PDAs. Answers B and C are incorrect. Wireless Session Layer (WSL), Wireless Transport Layer (WTL), and Wireless Transport Layer Security (WTLS) are the specifications that are included in the WAP standard. 5. Answer: D. The Wi-Fi Protected Access (WPA and later WPA2) standards were developed by the Wi-Fi Alliance to replace the WEP protocol while the 802.11i standard was being developed. The WPA includes many of the functions of the 802.11i protocol but relies on the Rivest Cipher 4 (RC4), which is considered vulnerable to keystream attacks. The later WPA2 standard was certified to include the full 802.11i standard after its final approval. Answers A and C are incorrect because they are encryptions standards not associated with the Wi-Fi Alliance. Answer B is incorrect because a WAP refers to both handheld devices as well as wireless access points. 6. Answer: A, C. The IEEE and IETF specify 802.1X and EAP as the standard for secure wireless networking, and Protected EAP (PEAP) is standards based. PEAP provides mutual authentication and uses a certificate for server authentication by the client, while users have the convenience of entering password-based credentials. Answer B is incorrect because LEAP is a Cisco-proprietary protocol. Answer D is incorrect because WEP is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point. 7. Answer: D. CCMP uses 128-bit keys, with a 48-bit initialization vector (IV) that reduces vulnerability to replay attacks. Answer A is incorrect because ICMP is a network troubleshooting protocol. Answer B is incorrect because WEP is the most basic form of encryption that can be used on 802.11-based wireless networks. Answer C is incorrect because WPA protects networks by incorporating a set of enhanced security features. WPA-protected networks require users to enter a passkey to access a wireless network. 8. Answer: C. LEAP combines centralized two-way authentication with dynamically generated wireless equivalent privacy keys, or WEP keys. Answer A is incorrect because EAP is a challenge response protocol that can be run over secured transport mechanisms. Answer B is incorrect because PEAP provides mutual authentication and uses a certificate for server authentication by the client. Answer D is incorrect because WEP is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point. 9. Answer: B. An antenna that is too strong raises security concerns. Strong omnidirectional Wi-Fi signals are radiated to a greater distance into neighboring areas where the signals can be readily detected and viewed. Minimizing transmission power reduces
Domain 1.0: Network Security
73
the changes your data will leak out. Answer A is incorrect because antenna placement should not be used as a security mechanism. Answer C is incorrect because SSID broadcast using the default SSIDs poses a security risk even if the AP is not broadcasting it. Answer D is incorrect because MAC filtering permits and denies network access through the use of blacklists and white lists. 10. Answer: D. MAC filtering permits and denies network access through the use of blacklists and white lists. Answer A is incorrect because antenna placement should not be used as a security mechanism. Answer B is incorrect because an antenna that is too strong raises security concerns. Strong omnidirectional Wi-Fi signals are radiated to a greater distance into neighboring areas where the signals can be readily detected and viewed. Answer C is incorrect because SSID broadcast using the default SSIDs poses a security risk even if the AP is not broadcasting it. 11. Answer: A, B, D. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available WAPs. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP, but is not truly secure because the SSID is broadcast in plain text whenever a client connects to the network. Turning off SSID broadcast should be considered a “best practice,” along with conducting the site survey, selecting channels not already in use in the area, requiring WPA2 (or newer) encryption, and restricting access to a known list of Wi-Fi MAC addresses where possible. Answer C is incorrect because turning on DHCP will allow a rogue client to automatically connect. Therefore, it increases the vulnerability. 12. Answer: A. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available WAPs. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP, but is not truly secure because the SSID is broadcast in plain text whenever a client connects to the network. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer C is incorrect. Back doors represent application code functions created intentionally or unintentionally, which allow unauthorized access to networked resources. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. 13. Answer: A. In general, a MAC address added to the approved list is never denied access. This is also known as a white list. Answer B is incorrect. A MAC address added to the blocked list is always denied access. This is also known as a blacklist. Blacklisting is blocking a MAC address. Answer C is incorrect. Graylisting is related to white listing and blacklisting of email. What happens is that each time a given mailbox receives an email from an unknown contact (IP), that mail is rejected with a “try again later.” Answer D is incorrect because brownlisting is a concept based on a CBL type system driven by tokens from blocked sites.
74
Chapter 1
14. Answer: A, D. The IEEE and IETF specify 802.1X and EAP as the standard for secure wireless networking, and Protected EAP (PEAP) is standards based. PEAP provides mutual authentication and uses a certificate for server authentication by the client, while users have the convenience of entering password-based credentials. Answer B is incorrect because WEP is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point. Answer C is incorrect because LEAP is a Cisco-proprietary protocol. 15. Answer: C. To provide for replay protection, a packet number (PN) field is used. CCMP produces a message integrity code (MIC) that provides data origin authentication and data integrity for the packet payload data. Answer A is incorrect because WPA protects networks by incorporating a set of enhanced security features. WPA-protected networks require users to enter a passkey to access a wireless network. Answer B is incorrect because WEP is the most basic form of encryption that can be used on 802.11-based wireless networks. Answer D is incorrect because ICMP is a network troubleshooting protocol.
2
CHAPTER TWO
Domain 2.0: Compliance and Operational Security The traditional “C-I-A Triad” of security directives includes maintaining the Confidentiality, Integrity, and Availability of data and services. Threats to these three principles are constantly present and evolving. Defensive measures must be put into place to mitigate risk within the enterprise. Domain 2 of the Security+ exam requires that you are familiar with risk, mitigation strategies, incident response, and environmental security controls, as well as the requirements for business continuity/continuity of operations and disaster recovery planning, and securing the devices on the network. Be sure to give yourself plenty of time to review all these concepts. The following list identifies the key areas from Domain 2.0 (which counts as 18% of the exam) that you need to master: . Explain risk-related concepts . Carry out appropriate risk mitigation strategies . Execute appropriate incident response procedures . Explain the importance of security related awareness
and training . Compare and contrast aspects of business continuity . Explain the impact and proper use of environmental
controls . Execute disaster recovery plans and procedures . Exemplify the concepts of confidentiality, integrity, and
availability
76
Chapter 2
✓
Quick Check
Practice Questions Objective 2.1: Explain risk related concepts. 1. Which of the following will have the greatest effect on the formulation of organizational policies?
❍
A. The board of directors
❍
B. The needs of the users
❍
C. Current and pending vendor contracts
Quick Answer: 108 Detailed Answer: 111
❍ D. Current and pending legislation 2. An organization is formulating a policy that will provide details that specify what users may do with their network access, including Internet access. Which of the following best describes this policy? ❍
A. Information sensitivity policy
❍
B. Acceptable use policy
❍
C. Change management policy
❍
D. Computer security policy
3. Upon logon to the network, an organization displays a statement stating that network access is granted under certain conditions and that all activities may be monitored. Which of the following best describes this policy? ❍
A. Information sensitivity policy
❍
B. Acceptable use policy
❍
C. Change management policy
❍
D. Computer security policy
4. At the customer service desk of an electronics vendor, return items are entered by the desk clerk. Before refunds are issued, a manager must review the refund request and enter a password into the system to complete the transaction. Which of the following best describes this action? ❍
A. Due care
❍
B. Due diligence
❍
C. Principle of least privilege
❍
D. Separation of duties
Quick Answer: 108 Detailed Answer: 111
Quick Answer: 108 Detailed Answer: 111
Quick Answer: 108 Detailed Answer: 111
Domain 2.0: Compliance and Operational Security
77
✓
Quick Check
5. An organization has set forth in policies a statement regarding reasonable care a person should take before entering into an agreement or a transaction with another party. Which of the following best describes this statement? ❍
A. Due care
❍
B. Due diligence
❍
C. Due process
❍
D. Due course
6. An organization has set forth in policies a statement regarding knowledge and actions that a reasonable and prudent person would possess or act upon. Which of the following best describes this statement? ❍
A. Due care
❍
B. Due diligence
❍
C. Due process
❍
D. Due course
7. An organization has set forth in policies a statement stating that any employee legal proceedings must be fair. Which of the following best describes this statement? ❍
Quick Answer: 108 Detailed Answer: 111
Quick Answer: 108 Detailed Answer: 112
Quick Answer: 108 Detailed Answer: 112
A. Due care
❍
B. Due diligence
❍
C. Due process
❍
D. Due course
8. An employee entered into a large contract with a vendor without reviewing any of the terms of the contract. The organization suffered a huge financial loss as a result of the terms of the contract. Which of the following principles was violated by this action? ❍
A. Due care
❍
B. Due diligence
❍
C. Due process
❍
D. Due course
9. A network administrator disabled the network firewall to allow his department to post materials to his personal FTP site. During this period of time, a denial of service attack was launched against the network. The organization suffered several hours of downtime. Which of the following principles was violated by this action? ❍
A. Due care
❍
B. Due diligence
Quick Answer: 108 Detailed Answer: 112
Quick Answer: 108 Detailed Answer: 112
78
Chapter 2
✓
Quick Check
❍
C. Due process
❍
D. Due course
10. An employee accused of sexual harassment was promptly dismissed by the immediate supervisor without any notification to human resources or discussion with the accused employee. As a result, the organization became involved in a lengthy lawsuit. Which of the following principles was violated by the immediate supervisor’s actions? ❍
A. Due care
❍
B. Due diligence
❍
C. Due process
❍
D. Due course
11. A financial institution is establishing policies that address balance of power. Which of the following principles is the financial institution most likely to implement? ❍
A. Due care
❍
B. Due diligence
❍
C. Principle of least privilege
❍
D. Separation of duties
12. A financial institution is establishing policies that outline the manner in which a user is associated with necessary information and system resources. It has been discovered that due to the nature of the position, the systems administrators never have scheduled time off and are on call during any scheduled days off. Which of the following principles will the institution implement to remedy this situation? ❍
A. Mandatory vacations
❍
B. Security compliance
❍
C. Principle of least privilege
❍
D. Due diligence
13. A financial institution is establishing policies that address balance of power. Which of the following actions can the financial institution implement to keep one person from having complete control of a transaction from beginning to end? (Select all correct answers.) ❍
A. Job rotation
❍
B. Change management
❍
C. Mandatory vacations
❍
D. Cross-training
Quick Answer: 108 Detailed Answer: 112
Quick Answer: 108 Detailed Answer: 112
Quick Answer: 108 Detailed Answer: 112
Quick Answer: 108 Detailed Answer: 113
Domain 2.0: Compliance and Operational Security
79
✓
Quick Check
14. An organization is establishing a policy for dealing with privacysensitive information. Which of the following information would have to be included in the policy? (Select all correct answers.) ❍
Detailed Answer: 113
A. Email address
❍
B. Name
❍
C. Address
❍
D. Group membership
15. Which of the following aspects of security policy planning details how fast a vendor must have a new server delivered onsite? ❍
Quick Answer: 108
Quick Answer: 108 Detailed Answer: 113
A. Business impact analysis
❍
B. Service level agreement
❍
C. Disaster recovery plan
❍ D. Disaster recovery policies 16. Which of the following aspects of security policy planning spells out the processes, service expectations, and service metrics expected by parties involved in a cooperative partnership? ❍
A. Business impact analysis
❍
B. Service level agreement
❍
C. Disaster recovery plan
❍
D. Disaster recovery policies
17. When termination involves a power user with high-level access rights or knowledge of service administrator passwords, which of the following should the organization do? ❍
A. Immediately wipe the user’s computer
❍
B. Conduct a thorough exit interview
❍
C. Institute password and security updates
❍
D. Thoroughly search the user’s work area
18. An organization is implementing a user-awareness training program. Valuable information can be gathered by hackers and other agents seeking unauthorized access through information posted on the organizational website about which of the following groups? ❍
A. Executives
❍
B. IT administrators
❍
C. Organizational users
❍
D. Security guards
Quick Answer: 108 Detailed Answer: 113
Quick Answer: 108 Detailed Answer: 113
Quick Answer: 108 Detailed Answer: 113
80
Chapter 2
✓
Quick Check
19. An organization is implementing a user-awareness training program. Which of the following groups can provide the most valuable support for security initiatives to ensure that published security training and other requirements are applied to all users equally? ❍
A. Executives
❍
B. IT administrators
❍
C. Organizational users
❍
D. Security guards
20. Metrics for security baselines and hardening efforts rely on which of the following? ❍
A. Mitigation of threats and attacks
❍
B. Identification of security measures and policies
❍
C. Identification of vulnerability and risk
Quick Answer: 108 Detailed Answer: 114
Quick Answer: 108 Detailed Answer: 114
❍ D. Mitigation of vulnerability and risk 21. When the risk of equipment loss is covered by a full-replacement insurance policy, which of the following best describes the risk? ❍
A. Accepted
❍
B. Transferred
❍
C. Eliminated
Quick Answer: 108 Detailed Answer: 114
❍ D. Mitigated 22. An organization removes legacy dial-up telephony modem devices to prevent war-dialing attacks. Which of the following best describes the risk? ❍
A. Accepted
❍
B. Transferred
❍
C. Eliminated
❍
D. Mitigated
23. When an organization installs a firewall to prevent attacks, which of the following best describes the risk? ❍
A. Accepted
❍
B. Transferred
❍
C. Eliminated
❍
D. Mitigated
Quick Answer: 108 Detailed Answer: 114
Quick Answer: 108 Detailed Answer: 114
Domain 2.0: Compliance and Operational Security
81
✓
Quick Check
24. When an organization decides the cost of an IDS is too expensive to implement, which of the following best describes the risk? ❍
A. Accepted
❍
B. Transferred
❍
C. Eliminated
❍
D. Mitigated
25. Which of the following best describes the primary purpose of a risk assessment? ❍
Quick Answer: 108 Detailed Answer: 115
Quick Answer: 108 Detailed Answer: 115
A. To collect user logins and passwords for administrative purposes
❍
B. To scan the network to find and address vulnerabilities
❍
C. To properly store and protect personally identifiable information
❍ D. To identify existing threats and potential mitigation mechanisms 26. Which of the following is the correct formula for calculating annual loss expectancy? ❍
A. SLE × ARO
❍
B. ALE × SLE
❍
C. ALE × ARO
❍
D. CLE × SLE
27. Which of the following best describes how single loss expectancy is calculated? ❍
A. Loss prevented minus the total cost of the solution
❍
B. Asset value multiplied by the threat exposure factor
❍
C. Threat factor multiplied by potential vulnerability
❍
D. Annualized rate of occurrence multiplied by threat factor
28. An organization has identified and reduced risk to a level that is comfortable and then implemented controls to maintain that level. Which of the following best describes this action? ❍
A. Risk management
❍
B. Risk acceptance
❍
C. Risk analysis
❍ D. Risk transference
Quick Answer: 108 Detailed Answer: 115
Quick Answer: 108 Detailed Answer: 115
Quick Answer: 108 Detailed Answer: 115
82
Chapter 2
✓
Quick Check
29. An organization identified risks, estimated the impact of potential threats, and identified ways to reduce the risk without the cost of the prevention outweighing the risk. Which of the following best describes this action? ❍
A. Risk management
❍
B. Risk acceptance
❍
C. Risk analysis
Quick Answer: 108 Detailed Answer: 115
❍ D. Risk transference 30. Which of the following best describes risk? ❍
A. Probability of threat exposure
❍
B. Cumulative loss expectancy
❍
C. Possibility of loss or danger
Quick Answer: 108 Detailed Answer: 115
❍ D. Mitigation of loss or danger 31. Which of the following best describes the difference between qualitative measures and quantitative measures? ❍
A. Quantitative measures evaluate risk based on a subjective assessment.
❍
B. Qualitative measures are less precise.
❍
C. Qualitative measures are easier to measure for ROI/RROI.
Quick Answer: 108 Detailed Answer: 116
❍ D. Quantitative measures are always better than qualitative measures. 32. Which of the following best describes a control that allows unauthorized access, identifying the access falsely as valid? ❍
A. False Negative
❍
B. Technical control
❍
C. False Positive
Quick Answer: 108 Detailed Answer: 116
❍ D. Management control 33. Which of the following best describes a control that refuses authorized access, identifying the access falsely as invalid? ❍
A. False Negative
❍
B. Technical control
❍
C. False Positive
❍ D. Management control
Quick Answer: 108 Detailed Answer: 116
Domain 2.0: Compliance and Operational Security
83
✓
Quick Check
34. Which of the following type of control is a security policy? ❍
A. Logical control
❍
B. Technical control
❍
C. Physical control
Quick Answer: 108 Detailed Answer: 116
❍ D. Management control 35. Which of the following type of control is a surveillance system? ❍
A. Logical control
❍
B. Technical control
❍
C. Physical control
Quick Answer: 108 Detailed Answer: 116
❍ D. Management control
Objective 2.2: Carry out appropriate risk mitigation strategies. 1. During the process of risk assessment, which of the following would be reviewed? (Select all correct answers.) ❍
A. Audit policies
❍
B. Access methods
❍
C. Financial records
Quick Answer: 108 Detailed Answer: 117
❍ D. Hiring procedures 2. Which of the following best describes return on investment? ❍
A. Estimating the impact of potential threats and identifying ways to reduce the risk
❍
B. Implemented controls to maintain a level of risk that is comfortable for the organization
❍
C. A measure of how effectively a company uses the money invested in its operations
Quick Answer: 108 Detailed Answer: 117
❍ D. The ratio of money realized on an investment relative to the amount of money invested 3. When the return on investment is calculated, if the result is a negative number, which of the following is true? ❍
A. Less money was spent than the loss prevented.
❍
B. More money was spent than the loss prevented.
❍
C. The money spent was not a worthwhile investment.
❍ D. The money spent was an excellent investment.
Quick Answer: 108 Detailed Answer: 117
84
Chapter 2
✓
Quick Check
4. Which of the following best describes exposure factor or probability? ❍
A. The weakness that allows an attacker to violate the integrity of a system
❍
B. The actual amount of loss prevented by implementing a total cost solution
❍
C. The percentage of loss that a realized threat could have on a certain asset
Quick Answer: 108 Detailed Answer: 117
❍ D. The estimated possibility of a specific threat taking place in a one-year period 5. An organization is formulating a policy that will define specific details on any configuration alterations to machines or operating systems. Which of the following best describes this policy? ❍ ❍
B. Acceptable use policy C. Change management policy
❍
D. Computer security policy
6. Which of the following policies helps track potential resources at risk within a networking?
Quick Answer: 108 Detailed Answer: 117
A. Information sensitivity policy
❍
B. Audit policy
❍
C. Change management policy
❍
D. Storage and retention policy
7. When preparing to securely dispose of a hard drive, what is the term for reducing the magnetic flux density of the media to zero? ❍
Detailed Answer: 117
A. Information sensitivity policy
❍
❍
Quick Answer: 108
Quick Answer: 108 Detailed Answer: 117
A. Overwriting
❍
B. Destruction
❍
C. Degaussing
❍
D. Declassification
8. When configuring an audit policy, which of the following should be audited?
❍ A. ❍ B. ❍ C. ❍ D.
Successful and failed login attempts Successful login attempts only Failed login attempts only Successful and failed login attempts should never be audited
Quick Answer: 108 Detailed Answer: 118
Domain 2.0: Compliance and Operational Security
85
✓
Quick Check
9. Which of the following is the process whereby the contents from media are removed as fully as possible for future reuse? ❍
A. Overwriting
❍
B. Sanitation
❍
C. Destruction
❍
D. Declassification
10. Which of the following should include the identification of required forensic and data-gathering procedures and proper reporting and recovery procedures for security-related incidents? ❍
A. Information sensitivity policy
❍
B. Audit policy
❍
C. Storage and retention policy
Quick Answer: 108 Detailed Answer: 118
Quick Answer: 108 Detailed Answer: 118
❍ D. Incident response policy
Objective 2.3: Execute appropriate incident response procedures. 1. Which of the following best describes the application of investigative and analytical techniques to acquire and protect potential legal evidence? ❍
A. Due diligence
❍
B. Chain of custody
❍
C. Due process
Quick Answer: 108 Detailed Answer: 118
❍ D. Computer forensics 2. Which of the following best describes the documentation of how evidence traveled from the crime scene to the courtroom? ❍
A. Due diligence
❍
B. Chain of custody
❍
C. Due process
Quick Answer: 108 Detailed Answer: 118
❍ D. Computer forensics 3. Which of the following are concepts behind computer forensics? (Select all correct answers.) ❍
A. Identifying the evidence
❍
B. Identifying the suspect
❍
C. Determining how to preserve the evidence
❍
D. Determining how to prosecute the suspect
Quick Answer: 108 Detailed Answer: 118
86
Chapter 2
✓
Quick Check
4. Which of the following best describes the documentation of how evidence was collected and preserved? ❍
A. Incident response
❍
B. Chain of custody
❍
C. Due process
❍
D. Due diligence
5. As a first responder, which of the following is true about the handling of a suspect’s workspace? ❍
A. The IT department should be allowed to remove the computer.
❍
B. The suspect’s manager should be allowed to examine the area.
❍
C. The suspect should be allowed to remove personal items.
❍
D. No one should be allowed to remove any items from the scene.
6. As a first responder, which of the following is true about the handling of a suspect’s computer? ❍
A. The computer should only be inspected by a trained professional.
❍
B. The suspect’s manager should be allowed to inspect the computer.
❍
C. You should immediately begin to identify suspicious computer files.
❍
D. The IT department should be allowed to inspect the computer.
7. An organization has determined that an incident occurred. Which of the following is the next step the organization would take in the incident analysis process? ❍
A. Contact the press
❍
B. Contact affected vendors
❍
C. Determine the scope
❍
D. Mitigate the risk
8. When an incident occurs, which of the following actions would the organization take first to mitigate the impact? ❍
A. Analysis
❍
B. Containment
Quick Answer: 108 Detailed Answer: 119
Quick Answer: 108 Detailed Answer: 119
Quick Answer: 108 Detailed Answer: 119
Quick Answer: 108 Detailed Answer: 119
Quick Answer: 108 Detailed Answer: 119
Domain 2.0: Compliance and Operational Security
87
✓
Quick Check
❍
C. Remediation
❍
D. Reporting
9. An organization needs help formulating best practices for reporting and disclosing computer security incidents. Which of the following would be of the most help to the organization? ❍
A. Operating system user manuals
❍
B. FBI investigative guidelines
❍
C. Request For Comments (RFC) 2350
Quick Answer: 108 Detailed Answer: 119
❍ D. Request For Comments (RFC) 50 10. Which of the following best describes why it is important to accurately determine the cause of each incident? ❍
A. To update the disaster recovery plan
❍
B. To prevent similar incidents from occurring
❍
C. To catch and prosecute the perpetrator
❍
D. To notify the press and any affected vendors
Quick Answer: 108 Detailed Answer: 119
Objective 2.4: Explain the importance of security related awareness and training. 1. An organization recently has experienced large volumes of phishing scams. Which of the following is the best defense against this type of attack? ❍
Quick Answer: 109 Detailed Answer: 120
A. S/MIME
❍
B. Antivirus software
❍
C. Email filtering
❍
D. User education
2. An organization discovers that city laws do not require special disposal of computer equipment. As a result, when equipment fails, employees throw it in the trash. Which of the following is the greatest concern to the organization? ❍
A. Health hazards
❍
B. Social engineering
❍
C. Dumpster diving
❍
D. Shoulder surfing
Quick Answer: 109 Detailed Answer: 120
88
Chapter 2
✓
Quick Check
3. An organization does not have a document disposal policy in place, nor does it have recycling or shredding bins. As a result, when employees no longer need printed information it is thrown in the trash. Which of the following is the greatest concern to the organization? ❍
A. Fire hazards
❍
B. Social engineering
❍
C. Dumpster diving
❍
D. Shoulder surfing
4. An organization using keypad entry for all external doors is located in a busy and congested complex. The organization is concerned about shoulder surfing. Which of the following would provide the best defense against this type of attack? ❍
Detailed Answer: 120
Quick Answer: 109 Detailed Answer: 120
A. Hand cupping
❍
B. Biometrics
❍
C. Security guards
❍
D. Deadbolts
5. An attacker disconnects several cables from an unattended reception area, then offers the receptionist his business card as a computer repair technician when she returns. While waiting to see whether the IT manager is available to see him, the receptionist’s computer appears to fail. Which of the following type of attack has occurred? ❍
Quick Answer: 109
Quick Answer: 109 Detailed Answer: 120
A. Reverse social engineering
❍
B. Denial of service
❍
C. Shoulder surfing
❍
D. Phishing
6. Which of the following addresses how employees are to leave their desks when they leave the office at the end of the day? ❍
A. Data handling
❍
B. Clean desk
❍
C. Situational awareness
❍
D. Personal technology
Quick Answer: 109 Detailed Answer: 121
Domain 2.0: Compliance and Operational Security
89
✓
Quick Check
7. Which of the following are examples of social engineering? (Select all correct answers.) ❍
A. An attacker pretends to be an executive who forgot his password to gain access to credentials.
❍
B. An attacker presents a fake UPS ID to gain entrance to a specific floor of the building.
❍
C. An attacker uses a wireless packet sniffer to monitor user credentials.
Quick Answer: 109 Detailed Answer: 121
❍ D. An attacker piggybacks into the building behind an unsuspecting employee. 8. Which of the following is true regarding the scope of security awareness training for management? ❍
A. The focus should be the same as for users.
❍
B. The focus should be on program costs.
❍
C. The focus should be on business impact.
Quick Answer: 109 Detailed Answer: 121
❍ D. The focus should be the same as for IT staff. 9. Which of the following are essential components in an organizational security awareness program that attempts to minimize vulnerabilities created by social engineering? (Select all correct answers.) ❍
A. Security posters
❍
B. Regular reminders
❍
C. Scheduled training
❍
D. Clear policies
10. Which of the following would be items addressed in a user security awareness training program? (Select all correct answers.) ❍
A. How to react to someone who has piggybacked into the building
❍
B. How to properly exit the building when the fire alarm is activated
❍
C. What to do when their computer is suspected of having a malware infection
❍ D. What to do when an administrator calls and asks for a user’s password
Quick Answer: 109 Detailed Answer: 121
Quick Answer: 109 Detailed Answer: 121
90
Chapter 2
✓
Quick Check
11. An organization is establishing policies for dealing with the proper disposal of obsolete hardware. Which of the following specifications does the organization need to consider? ❍
Detailed Answer: 121
A. Sarbanes-Oxley
❍
B. ISO 9000
❍
C. IEEE specifications
❍
D. ISO 17799
12. An organization is establishing policies for dealing with the proper disposal of obsolete hardware. Which of the following would be appropriate considerations? ❍
A. Accessibility to remnants of legacy data
❍
B. Breaches of health and safety requirements
❍
C. Cost of disposal versus recycling
❍
D. Old equipment necessary to read archived data
13. An organization is establishing policies for dealing with proper media disposal. Which of the following processes would the organization use if it wanted to remove the contents from the media as fully as possible, making it extremely difficult to restore before disposal? ❍
Quick Answer: 109
Quick Answer: 109 Detailed Answer: 121
Quick Answer: 109 Detailed Answer: 122
A. Declassification
❍
B. Sanitization
❍
C. Degaussing
❍
D. Destruction
14. Which of the following policies would an organization implement to help protect the network passwords from hackers? ❍
A. Password complexity
❍
B. Random generated passwords
❍
C. Password storage in reversible encryption
Quick Answer: 109 Detailed Answer: 122
❍ D. Default passwords 15. An organization is formulating a change management policy. After a system change has been requested, documented, and approved, which of the following should occur? ❍
A. Implementation
❍
B. Management notification
❍
C. User notification
❍
D. Workarounds
Quick Answer: 109 Detailed Answer: 122
Domain 2.0: Compliance and Operational Security
91
✓
Quick Check
16. Which of the following policies would direct users not to download links from social media sites? ❍
A. Clean desk
❍
B. Data handling
❍
C. Personal technology
❍
D. Situational awareness
17. An organization is implementing information classification levels. High-security internal information that defines the way in which the organization operates is considered which of the following classifications? ❍
A. Top secret
❍
B. Proprietary
❍
C. Internal use only
❍
D. Public documents
18. An organization is implementing information classification levels. Highly sensitive internal documents and data to which very few employees should have access is considered which of the following classifications? ❍
A. Top secret
❍
B. Proprietary
❍
C. Internal use only
❍
D. Public documents
19. An organization is implementing information classification levels. Restricted information that is unlikely to result in financial loss or serious damage to the organization is considered which of the following classifications? ❍
A. Top secret
❍
B. Proprietary
❍
C. Internal use only
❍
D. Public documents
20. An organization is formulating a policy that will require employees to refrain from jotting down hard-to-recall passphrases or taping a list of their logons and passwords under their keyboard. Which of the following best describes this policy? ❍
A. Information sensitivity policy
❍
B. Clean desk policy
❍
C. Change management policy
❍ D. Computer security policy
Quick Answer: 109 Detailed Answer: 122
Quick Answer: 109 Detailed Answer: 122
Quick Answer: 109 Detailed Answer: 122
Quick Answer: 109 Detailed Answer: 123
Quick Answer: 109 Detailed Answer: 123
92
Chapter 2
✓
Quick Check
Objective 2.5: Compare and contrast aspects of business continuity. 1. Which of the following best describes the difference between a disaster recovery plan and a business continuity plan? ❍
A. A disaster recovery plan covers natural disasters, whereas a business continuity plan covers man-made disasters.
❍
B. A disaster recovery plan is a more comprehensive approach than a business continuity plan.
❍
C. A disaster recovery plan covers man-made disasters, whereas a business continuity plan covers natural disasters.
Quick Answer: 109 Detailed Answer: 123
❍ D. A business continuity plan is a more comprehensive approach than a disaster recovery plan. 2. Which of the following best describes a written document that defines how an organization will recover from a catastrophe and how it will restore business with minimum delay? ❍
A. Impact analysis
❍
B. Business continuity plan
❍
C. Disaster recovery plan
❍
D. Risk analysis
3. Which of the following is true about the data-restoration process? (Select all correct answers.) ❍
A. It should be stored in a secure manner.
❍
B. It should be stored alongside the servers.
❍
C. It should be included in the employee manual.
❍
D. It should be properly documented.
4. Which of the following is the most secure storage place for backup media? ❍
A. Next to the backup server
❍
B. Locked in a proper safe
❍
C. In the desk of the HR manager
❍
D. In the home of the IT manager
Quick Answer: 109 Detailed Answer: 123
Quick Answer: 109 Detailed Answer: 123
Quick Answer: 109 Detailed Answer: 124
Domain 2.0: Compliance and Operational Security
93
✓
Quick Check
5. Which of the following is addressed in business continuity planning? (Select two correct answers.)
❍ ❍ ❍
A. Network connectivity
❍
D. Employee training
Quick Answer: 109 Detailed Answer: 124
B. Data backups C. Fault tolerance
6. Clear lines of succession and cross-training in critical business continuity functions are critical to meet which of the following? ❍
A. Recovery point objectives
❍
B. Service level agreements
❍
C. Fault tolerance
❍
D. Risk reduction
7. In determining single points of failure, which of the following should the organization evaluate? (Select all correct answers.) ❍
A. Local desktop connections
❍
B. Internet connections
❍
C. Routers
❍
D. Switches
8. Which of the following best describes the goal of a business impact analysis? ❍
A. To identify required business services
❍
B. To plan for a hurricane
❍
C. To examine the loss of operational capability
❍
D. To plan for an attack resulting from a vulnerability
9. Which of the following can be used to increase availability in the event the motherboard in a server dies? ❍
A. Clustering
❍
B. RAID 0
❍
C. Disk striping
❍
D. Hot swap hard disks
Quick Answer: 109 Detailed Answer: 124
Quick Answer: 109 Detailed Answer: 124
Quick Answer: 109 Detailed Answer: 124
Quick Answer: 109 Detailed Answer: 124
94
Chapter 2
✓
Quick Check
10. Which of the following addresses how to handle the situation where a disgruntled employee changes an administrative password before leaving? ❍
Quick Answer: 109 Detailed Answer: 124
A. Business impact analysis
❍
B. Disaster recovery plan
❍
C. Change management policy
❍ D. System restoration plan
Objective 2.6: Explain the impact and proper use of environmental controls. 1. An organization is planning to purchase a fire-suppression system. Certain areas of the building require a system that has water under pressure in it at all times. Which of the following best describes this type of system? ❍
A. Dry pipe
❍
B. Wet pipe
❍
C. Deluge
Quick Answer: 109 Detailed Answer: 125
❍ D. Preaction 2. Which of the following best describes the difference between a wet-pipe and a dry-pipe fire-suppression system? ❍
A. A wet-pipe system uses wet chemicals that deploy after the pipe loses air pressure, whereas a dry-pipe system uses dry chemicals that deploy before the pipe loses air pressure.
❍
B. A dry-pipe system uses dry chemicals, whereas a wet-pipe system uses wet chemicals.
❍
C. A dry-pipe system uses air to suppress fire, whereas a wet-pipe system uses water.
❍
D. A wet-pipe system has water in the pipe at all times, whereas in a dry-pipe system water is used but is held back by a valve until a certain temperature is reached.
3. Class A fires involve which of the following? ❍
A. Energized electrical equipment, electrical fire, and burning wires
❍
B. Flammable liquids, gases, and greases
Quick Answer: 109 Detailed Answer: 125
Quick Answer: 109 Detailed Answer: 125
Domain 2.0: Compliance and Operational Security
95
✓
Quick Check
❍
C. Trash, wood, and paper
❍
D. Combustible metals such as magnesium, titanium, and sodium
4. An organization is evaluating its environmental controls. Which of the following cable types carries an inherent danger due to the fact that it is easy to add devices to the network via open ports on unsecured hubs and switches? (Select all correct answers.) ❍
Detailed Answer: 125
A. Shielded twisted pair
❍
B. Coaxial
❍
C. Unshielded twisted pair
❍
D. Fiber optic
5. Class C fires involve which of the following? ❍
Quick Answer: 109
A. Energized electrical equipment, electrical fire, and burning wires
❍
B. Flammable liquids, gases, and greases
❍
C. Trash, wood, and paper
❍
D. Combustible metals such as magnesium, titanium, and sodium
6. Class D fires involve which of the following? ❍
A. Energized electrical equipment, electrical fire, and burning wires
❍
B. Flammable liquids, gases, and greases
❍
C. Trash, wood, and paper
❍
D. Combustible metals such as magnesium, titanium, and sodium
7. Class A fires can be extinguished using which of the following? ❍
A. Foam
❍
B. Water
❍
C. Sodium chloride
Quick Answer: 109 Detailed Answer: 125
Quick Answer: 109 Detailed Answer: 125
Quick Answer: 109 Detailed Answer: 125
❍ D. Carbon dioxide 8. Class B fires can be extinguished using which of the following? ❍
A. Foam
❍
B. Water
❍
C. Sodium chloride
❍
D. Carbon dioxide
Quick Answer: 109 Detailed Answer: 125
96
Chapter 2
✓
Quick Check
9. Class C fires can be extinguished using which of the following? ❍
A. Foam
❍
B. Water
❍
C. Sodium chloride
❍
D. Carbon dioxide
10. Class D fires can be extinguished using which of the following? ❍
A. Foam
❍
B. Water
❍
C. Sodium chloride
❍
D. Carbon dioxide
11. In fire-suppression systems, which of the following has replaced halon? ❍
A. Foam
❍
B. Water
❍
C. Sodium chloride
❍
D. Carbon dioxide
12. When selecting a location for a building, an organization should investigate which of the following? (Select all correct answers.) ❍
A. Crime rate
❍
B. Proximity to an electronics store
❍
C. Type of neighborhood
❍
D. Emergency response times
13. An organization that has several small branches in North Dakota, Minnesota, and Ontario, Canada, is planning for a fire-suppression system installation. Which of the following will best fit the needs of the organization? ❍
A. Dry pipe
❍
B. Wet pipe
❍
C. Deluge
❍
D. Preaction
Quick Answer: 109 Detailed Answer: 126
Quick Answer: 109 Detailed Answer: 126
Quick Answer: 109 Detailed Answer: 126
Quick Answer: 109 Detailed Answer: 126
Quick Answer: 109 Detailed Answer: 126
Domain 2.0: Compliance and Operational Security
97
✓
Quick Check
14. Which of the following is an inherent risk to equipment associated with overcooling? ❍
A. RFI
❍
B. Condensation
❍
C. EMF
❍
D. Static
15. Which of the following is an inherent risk to equipment associated with using dehumidifiers? ❍
A. RFI
❍
B. Condensation
❍
C. EMF
❍
D. Static
16. Which of the following is an inherent risk to equipment components associated with high levels of humidity? ❍
A. Rust
❍
B. ESD
❍
C. EMF
Quick Answer: 109 Detailed Answer: 126
Quick Answer: 109 Detailed Answer: 127
Quick Answer: 109 Detailed Answer: 127
❍ D. Solidification 17. An organization requires a cable type that is secure and can only be tapped by interrupting the service or using specially constructed equipment. Which of the following will best fit the needs of the organization? ❍
A. Shielded twisted pair
❍
B. Coaxial
❍
C. Unshielded twisted pair
❍
D. Fiber optic
18. An organization is planning to protect the environment through the use of shielding. Which of the following can be an efficient and cost-effective way to protect a large quantity of equipment from electronic eavesdropping? ❍
A. Electron configuration table
❍
B. Electromagnetic field
❍
C. Faraday cage
❍
D. TEMPEST
Quick Answer: 109 Detailed Answer: 127
Quick Answer: 109 Detailed Answer: 127
98
Chapter 2
✓
Quick Check
19. An organization is planning to protect the environment through the use of shielding. The equipment is in a corporate environment that processes government and military highly classified information. Which of the following best meets the requirements of the organization? ❍
A. Electron configuration table
❍
B. Electromagnetic field
❍
C. Faraday cage
❍
D. TEMPEST
20. An organization requires a cabling solution that is not susceptible to eavesdropping. Which of the following cable types should automatically be eliminated from the list of viable solutions? ❍
A. Shielded twisted pair
❍
B. Coaxial
❍
C. Unshielded twisted pair
❍
D. Fiber optic
Quick Answer: 109 Detailed Answer: 127
Quick Answer: 109 Detailed Answer: 127
Objective 2.7: Execute disaster recovery plans and procedures. 1. An organization is planning site redundancy. In the event of a catastrophe, the employees need to drive to the site, log on, and begin working. Which of the following best meets these requirements? ❍
A. Hot site
❍
B. Warm site
❍
C. Cold site
Quick Answer: 110 Detailed Answer: 128
❍ D. Mirror site 2. An organization is planning site redundancy. In the event of a catastrophe, electricity, bathrooms, and space will be provided. Which of the following best meets these requirements? ❍
A. Hot site
❍
B. Warm site
❍
C. Cold site
❍
D. Mirror site
Quick Answer: 110 Detailed Answer: 128
Domain 2.0: Compliance and Operational Security
99
✓
Quick Check
3. An organization is planning site redundancy. Currently, the organization does not have much money in the budget and requires the most inexpensive solution possible. Which of the following best meets these requirements? ❍
A. Hot site
❍
B. Warm site
❍
C. Cold site
❍
D. Mirror site
4. An organization is planning site redundancy. In the event of a catastrophe, the site should already be configured with power, phone, and network jacks. Which of the following best meets these requirements? ❍
A. Hot site
❍
B. Warm site
❍
C. Cold site
❍
D. Mirror site
5. An organization is planning site redundancy. It has been determined that the organization will contract with a third party for configuring devices, installing applications, and activating resources. All facility supplies should already be intact at the site. Which of the following best meets these requirements? ❍
A. Hot site
❍
B. Warm site
❍
C. Cold site
❍
D. Mirror site
6. An organization is planning site redundancy. It is mandatory that all business operations are available 7 days a week for 24 hours per day. Which of the following best meets these requirements? ❍
A. Hot site
❍
B. Warm site
❍
C. Cold site
❍
D. Mirror site
Quick Answer: 110 Detailed Answer: 128
Quick Answer: 110 Detailed Answer: 128
Quick Answer: 110 Detailed Answer: 128
Quick Answer: 110 Detailed Answer: 129
100
Chapter 2
✓
Quick Check
7. An organization is planning site redundancy. It is mandatory that live operations and recovery testing occur before an actual catastrophic event happens. Which of the following best meets these requirements? ❍
A. Hot site
❍
B. Warm site
❍
C. Cold site
❍
D. Mirror site
8. An organization operates in an area subject to rolling blackouts. Which of the following is the best method to provide continuous operations? ❍
A. An uninterruptible power supply
❍
B. A generator
❍
C. A redundant electric connection
❍
D. A RAID configuration
9. An organization operates in an area that has frequent brownouts. Which of the following is the best method to provide continuous operations? ❍
A. An uninterruptible power supply
❍
B. A generator
❍
C. A redundant electric connection
❍
D. A RAID configuration
10. An organization is located in an industrial area where there is a large amount of electromagnetic interference (EMI). Which of the following is the best method to provide continuous operations? ❍
A. An uninterruptible power supply
❍
B. A generator
❍
C. A redundant electric connection
❍
D. A RAID configuration
11. A small organization is located in a remote area. When the power is interrupted, it often takes some time for the electric company to restore it. Which of the following is the best method to provide continuous operations? ❍
A. An uninterruptible power supply
❍
B. A generator
❍
C. A redundant electric connection
❍
D. A RAID configuration
Quick Answer: 110 Detailed Answer: 129
Quick Answer: 110 Detailed Answer: 129
Quick Answer: 110 Detailed Answer: 129
Quick Answer: 110 Detailed Answer: 129
Quick Answer: 110 Detailed Answer: 130
Domain 2.0: Compliance and Operational Security
101
✓
Quick Check
12. An organization requires a UPS solution that provides the best isolation from power line problems. Which of the following is the best method to provide continuous operations? ❍
Quick Answer: 110 Detailed Answer: 130
A. Surge protector
❍
B. Standby power supply
❍
C. Ferroresonant UPS system
❍
D. Continuous UPS
13. An organization is located in an area that requires protection against line noise and electromagnetic interference (EMI). Which of the following would best provide the protection required for the organization? ❍
A. Surge protector
❍
B. Standby power supply
❍
C. Ferroresonant UPS system
❍
D. Continuous UPS
14. An organization requires a UPS solution that activates only when the power actually fails. Which of the following is the best method to meet this requirement? ❍
A. Surge protector
❍
B. Standby power supply
❍
C. Ferroresonant UPS system
❍
D. Continuous UPS
15. An organization that operates a nonprofit donation hotline is planning for redundancy. Which of the following would be the most critical component in providing continuous operations? ❍
A. Server redundancy
❍
B. ISP redundancy
❍
C. Phone system redundancy
❍
D. Data disk redundancy
16. An organization that operates a web-based book business is planning for redundancy. Which of the following is the most critical component in providing continuous customer access? ❍
A. Server redundancy
❍
B. ISP redundancy
❍
C. Phone system redundancy
❍
D. Data disk redundancy
Quick Answer: 110 Detailed Answer: 130
Quick Answer: 110 Detailed Answer: 130
Quick Answer: 110 Detailed Answer: 130
Quick Answer: 110 Detailed Answer: 131
102
Chapter 2
✓
Quick Check
17. An organization that operates a small photo backup business is planning for redundancy. Which of the following would be the most critical component in providing continuous operations? ❍
Detailed Answer: 131
A. Server redundancy
❍
B. ISP redundancy
❍
C. Phone system redundancy
❍
D. Data disk redundancy
18. An organization that operates a large data warehousing business is planning for redundancy using load balancing. Which of the following would best meet the organizational goals? ❍
A. Server redundancy
❍
B. ISP redundancy
❍
C. Phone system redundancy
❍
D. Data disk redundancy
19. An organization that operates a small web-based photo backup business is evaluating single points of failure. The organization has three servers, four switches, and 100 client systems. Which of the following would be the most likely component(s) to be the single point of failure? ❍
Quick Answer: 110
Quick Answer: 110 Detailed Answer: 131
Quick Answer: 110 Detailed Answer: 131
A. Servers
❍
B. ISP connection
❍
C. Client systems
❍
D. Switches
20. An organization is implementing a data availability solution based on a striped disk array without redundancy. Which of the following best describes this implementation? ❍
A. RAID 0
❍
B. RAID 1
❍
C. RAID 5
❍
D. RAID 10
21. An organization requires a solution based on high reliability combined with high performance. Which of the following would best meet the organizational requirements? ❍
A. RAID 0
❍
B. RAID 1
Quick Answer: 110 Detailed Answer: 131
Quick Answer: 110 Detailed Answer: 131
Domain 2.0: Compliance and Operational Security
103
✓
Quick Check
❍
C. RAID 5
❍
D. RAID 10
22. An organization requires a solution that has the best small read/ large write performance of any redundancy disk array. Which of the following would best meet the organizational requirements? ❍
A. RAID 0
❍
B. RAID 1
❍
C. RAID 5
❍
D. RAID 10
23. An organization is implementing a simple data redundancy solution that offers 100% redundancy with a trade-off of 50% disk utilization. Which of the following best describes this implementation? ❍
Quick Answer: 110 Detailed Answer: 132
Quick Answer: 110 Detailed Answer: 132
A. RAID 0
❍
B. RAID 1
❍
C. RAID 5
❍
D. RAID 10
24. An organization is implementing a redundancy plan and is concerned about the need to restore equipment and parts. Which of the following is the best cost-effective method to ensure the availability of replacement parts? ❍
A. Creating an area for broken equipment that can be used for parts
❍
B. Purchasing exact duplicates of the equipment
❍
C. Signing a service level agreement
❍
D. Contracting for a hot site
25. An organization that operates a tax service requires that all branch offices have access to each office’s client files for easier tax preparation. Which of the following would be the most critical component in providing continuous operations? ❍
A. Multiple network cards in each machine
❍
B. Redundant connections between sites
❍
C. Redundant data disks
❍
D. Multiple Internet service providers
Quick Answer: 110 Detailed Answer: 132
Quick Answer: 110 Detailed Answer: 132
104
Chapter 2
✓
Quick Check
26. Full data backups are performed weekly on Saturday at 3:00 a.m., and incremental backups are performed each weekday at 3:00 a.m. If a drive failure causes a total loss of data at 9:00 a.m. on Tuesday morning, what is the minimum number of backup tapes that must be used to restore the lost data? ❍
A. One
❍
B. Two
❍
C. Three
❍
D. Four
27. Full data backups are performed weekly on Saturday at 3:00 a.m., and differential backups are performed each weekday at 3:00 a.m. If a drive failure causes a total loss of data at 9:00 a.m. on Thursday morning, what is the minimum number of backup tapes that must be used to restore the lost data? ❍
A. One
❍
B. Two
❍
C. Three
❍
D. Four
28. An organization is formulating a backup strategy. In the event of a total loss of data, which of the following backup methods will provide the fastest data restoration? ❍
A. Incremental
❍
B. Differential
❍
C. Copy
❍
D. Full
29. An organization is implementing a backup strategy using three sets of backup tapes, with backup sets rotated on a daily, weekly, and monthly basis. Which of the following best describes this implementation? ❍
A. Grandfather, father, son
❍
B. Grandmother, mother, daughter
❍
C. Tower of Druaga
❍
D. Tower of Hanoi
Quick Answer: 110 Detailed Answer: 132
Quick Answer: 110 Detailed Answer: 132
Quick Answer: 110 Detailed Answer: 132
Quick Answer: 110 Detailed Answer: 133
Domain 2.0: Compliance and Operational Security
105
✓
Quick Check
30. An organization is planning a backup strategy that requires a costeffective solution that will provide backup data for more than a two-week time period. Which of the following would best meet the organizational requirements? ❍
A. Grandfather, father, son
❍
B. Ten-tape rotation
❍
C. Tower of Druaga
❍
D. Tower of Hanoi
Quick Answer: 110 Detailed Answer: 133
Objective 2.8: Exemplify the concepts of confidentiality, integrity, and availability. 1. Which of the following best describes the main concern of confidentiality? ❍
A. Unauthorized disclosure of sensitive information
❍
B. Unauthorized modification of information or systems
❍
C. Specifying if an identity should be granted access to a resource
Quick Answer: 110 Detailed Answer: 133
❍ D. Maintaining continuous operations without service disruptions 2. Which of the following best describes the main concern of integrity? ❍
Quick Answer: 110 Detailed Answer: 133
A. Unauthorized disclosure of sensitive information
❍
B. Unauthorized modification of information or systems
❍
C. Specifying if an identity should be granted access to a resource
❍ D. Maintaining continuous operations without service disruptions 3. Which of the following best describes the main concern of availability? ❍
A. Unauthorized disclosure of sensitive information
❍
B. Unauthorized modification of information or systems
❍
C. Specifying if an identity should be granted access to a resource
❍ D. Maintaining continuous operations without service disruptions
Quick Answer: 110 Detailed Answer: 133
106
Chapter 2
✓
Quick Check
4. An organization implements PGP. This is an example of which of the following? (Select all correct answers.) ❍
A. Integrity
❍
B. Availability
❍
C. Confidentiality
Quick Answer: 110 Detailed Answer: 133
❍ D. Authorization 5. Which of the following best describes the assurance that data and information can be modified only by those authorized to do so? ❍
A. Integrity
❍
B. Availability
❍
C. Confidentiality
Quick Answer: 110 Detailed Answer: 133
❍ D. Authorization 6. Which of the following best describes limiting the disclosure of private information? ❍
A. Integrity
❍
B. Availability
❍
C. Confidentiality
Quick Answer: 110 Detailed Answer: 134
❍ D. Authorization 7. Which of the following best describes requiring the accessibility of information and information systems? ❍
A. Integrity
❍
B. Availability
❍
C. Confidentiality
Quick Answer: 110 Detailed Answer: 134
❍ D. Authorization 8. Which two of the following support the preservation of data availability? (Select two correct answers.) ❍
A. Firewall
❍
B. Mirrored windows
❍
C. Antistatic carpet
❍ D. Physical access control
Quick Answer: 110 Detailed Answer: 134
Domain 2.0: Compliance and Operational Security
107
✓
Quick Check
9. Which of the following elements of data security are preserved by using antivirus software? ❍
A. Integrity and availability
❍
B. Confidentiality and integrity
❍
C. Accuracy and reliability
Quick Answer: 110 Detailed Answer: 134
❍ D. Availability and confidentiality 10. Regularly expiring passwords preserves which of the following? (Select two correct answers.) ❍
A. Longevity
❍
B. Availability
❍
C. Confidentiality
❍ D. Integrity
Quick Answer: 110 Detailed Answer: 134
108
Chapter 2
Quick-Check Answer Key Objective 2.1: Explain risk related concepts. 1. D
13. A, C, D
25. D
2. B
14. A, B, C
26. A
3. B
15. B
27. B
4. D
16. B
28. A
5. B
17. C
29. C
6. A
18. A
30. C
7. C
19. A
31. B
8. B
20. C
32. C
9. A
21. B
33. A
10. C
22. C
34. D
11. D
23. D
35. C
12. A
24. A
Objective 2.2: Carry out appropriate risk mitigation strategies. 1. A, B, D
5. C
8. A
2. D
6. B
9. B
3. B
7. C
10. D
4. C
Objective 2.3: Execute appropriate incident response procedures. 1. D
5. D
8. B
2. B
6. A
9. C
3. A, C
7. C
10. B
4. B
Domain 2.0: Compliance and Operational Security
109
Objective 2.4: Explain the importance of security related awareness and training. 1. D
8. C
15. C
2. C
9. B, C, D
16. C
3. C
10. A, D
17. B
4. B
11. D
18. A
5. A
12. A, B, D
19. C
6. B
13. B
20. B
7. A, B
14. A
Objective 2.5: Compare and contrast aspects of business continuity. 1. D
5. A, C
8. C
2. C
6. A
9. A
3. A, D
7. B, C, D
10. D
4. B
Objective 2.6: Explain the impact and proper use of environmental controls. 1. B
8. A
15. D
2. D
9. D
16. A
3. C
10. C
17. D
4. A, C
11. D
18. C
5. A
12. A, C, D
19. D
6. D
13. A
20. B
7. B
14. B
110
Chapter 2
Objective 2.7: Execute disaster recovery plans and procedures. 1. A
11. B
21. D
2. C
12. D
22. C
3. C
13. C
23. B
4. B
14. B
24. C
5. B
15. C
25. B
6. A
16. B
26. C
7. A
17. D
27. B
8. B
18. A
28. D
9. A
19. B
29. A
10. A
20. A
30. D
Objective 2.8: Exemplify the concepts of confidentiality, integrity, and availability. 1. A
5. A
8. C, D
2. B
6. C
9. B
3. D
7. B
4. A, C
10. C, D
Domain 2.0: Compliance and Operational Security
111
Answers and Explanations Objective 2.1: Explain risk related concepts. 1. Answer: D. To ensure that proper incident response planning is managed and maintained, it is important to establish clear and detailed security policies that are ratified by an organization’s management and brought to the attention of its users. Current and pending legislation will affect the formulation of those policies. Answers A, B, and C are incorrect; although each of these factors may have influence on organizational policies, legislation will have the greatest effect. 2. Answer: B. An acceptable use policy provides details that specify what users may do with their network access, including email and instant messaging usage for personal purposes, limitations on access times, and the storage space available to each user. Answer A is incorrect because an organization’s information sensitivity policy will define requirements for the classification and security of data and hardware resources based on their relative level of sensitivity. Answer C is incorrect because a change management policy specifies details about system changes, such as the files being replaced, the configuration being changed, and the machines or operating systems affected. Answer D is incorrect because a computer security policy defines the goals and elements of an organization’s computer systems. 3. Answer: B. An acceptable use policy example is that upon logon, a statement that network access is granted under certain conditions and that all activities may be monitored is displayed. Answer A is incorrect because an organization’s information sensitivity policy will define requirements for the classification and security of data and hardware resources based on their relative level of sensitivity. Answer C is incorrect because a change management policy specifies details about system changes, such as the files being replaced, the configuration being changed, and the machines or operating systems affected. Answer D is incorrect because a computer security policy defines the goals and elements of an organization’s computer systems. 4. Answer: D. The idea of separation of duties hinges on the concept that multiple people conspiring to corrupt a system is less likely than a single person corrupting it. Answer A is incorrect; due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Answer B is incorrect because due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer C is incorrect; the principle of least privilege refers to the concept that all users at all times should run with as few privileges as possible. 5. Answer: B. Due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer A is incorrect; due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Answer C is incorrect; due process is the concept that laws and legal proceedings must be fair. Answer D is incorrect; due course is an onward movement in a particular direction.
112
Chapter 2
6. Answer: A. Due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Answer B is incorrect because due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer C is incorrect; due process is the concept that laws and legal proceedings must be fair. Answer D is incorrect; due course is an onward movement in a particular direction. 7. Answer: C. Due process is the concept that laws and legal proceedings must be fair. Answer A is incorrect; due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Answer B is incorrect because due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer D is incorrect; due course is an onward movement in a particular direction. 8. Answer: B. Due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer A is incorrect; due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Answer C is incorrect; due process is the concept that laws and legal proceedings must be fair. Answer D is incorrect; due course is an onward movement in a particular direction. 9. Answer: A. Due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Answer B is incorrect because due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer C is incorrect because due process is the concept that laws and legal proceedings must be fair. Answer D is incorrect because due course is an onward movement in a particular direction. 10. Answer: C. Due process is the concept that laws and legal proceedings must be fair. Answer A is incorrect; due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Answer B is incorrect because due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer D is incorrect; due course is an onward movement in a particular direction. 11. Answer: D. The idea of separation of duties hinges on the concept that multiple people conspiring to corrupt a system is less likely than a single person corrupting it. Often you will find this in financial institutions, where in order to violate the security controls, all the participants in the process would have to agree to compromise the system. Answer A is incorrect; due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Answer B is incorrect because due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer C is incorrect; principle of least privilege refers to the concept that all users at all times should run with as few privileges as possible. 12. Answer: A. For security purposes, organizations should avoid having one individual who has complete control of a transaction or process from beginning to end, and implement policies such as job rotation, mandatory vacations, and cross-training. Answer B is incorrect; security compliance deals with adhering to regulations and standards. Answer C is incorrect; principle of least privilege refers to the concept that
Domain 2.0: Compliance and Operational Security
113
all users at all times should run with as few privileges as possible. Answer D is incorrect because due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. 13. Answer: A, C, D. For security purposes, organizations should avoid having one individual who has complete control of a transaction or process from beginning to end, and implement policies such as job rotation, mandatory vacations, and crosstraining. Answer B is incorrect because a change management policy specifies details about system changes such as the files being replaced, the configuration being changed, and the machines or operating systems affected. 14. Answer: A, B, C. Privacy-sensitive information is referred to as personally identifiable information (PII). This is any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. Examples of PII are name, address, phone number, fax number, email address, financial profiles, Social Security number, and credit card information. Answer D is incorrect because group membership does not expose privacy-sensitive information. 15. Answer: B. Service level agreements establish the contracted requirements for service through utilities, facility management, and ISPs. Answer A is incorrect; a business impact analysis is an analytic process that aims to reveal business and operational impacts stemming from any number of incidents or events. Answer C is incorrect because a disaster recovery plan is a written document that defines how the organization will recover from a disaster and how to restore business with minimum delay. Answer D is incorrect because a disaster recovery policy outlines what to do during a disaster. 16. Answer: B. Service level agreements establish the contracted requirements for service through utilities, facility management, and ISPs. The purpose of an SLA is to establish a cooperative partnership, bring both sides together, and map out each party’s responsibilities. Answer A is incorrect; a business impact analysis is an analytic process that aims to reveal business and operational impacts stemming from any number of incidents or events. Answer C is incorrect because a disaster recovery plan is a written document that defines how the organization will recover from a disaster and how to restore business with minimum delay. Answer D is incorrect because a disaster recovery policy outlines what to do during a disaster. 17. Answer: C. When termination involves power users with high-level access rights or knowledge of service administrator passwords, it is critical to institute password and security updates to exclude known avenues of access while also increasing security monitoring for possible reprisals against the organization. Answer A is incorrect; immediately wiping the computer could delete necessary information. Answer B is incorrect; although an exit interview is part of normal HR processes, the concern is access after termination. Answer D is incorrect; searching the user’s work area should be done by proper authority and procedures. 18. Answer: A. Hackers and other agents seeking unauthorized access often search for highly placed users within an organization who have exempted themselves from standard security policies. Information about the profiles and positions of high-level users is often available on organizational websites, which can provide hackers with more directed information. Answers B and D are incorrect; these two groups should have a
114
Chapter 2
heightened sense of security awareness and not divulge confidential information. Answer C is incorrect because users can provide valuable information, but high-level employees have access to more valuable information. 19. Answer: A. It is important to locate a suitable upper-level sponsor for security initiatives to ensure that published security training and other requirements are applied to all users equally. Without management buy-in, the program will have a difficult time being successful. Based on this information, answers B, C, and D are incorrect. 20. Answer: C. Metrics for security baselines and hardening efforts rely on identification of vulnerability and risk. It is necessary to have some mechanism for measuring vulnerability to determine whether a baseline has been met, or if a new security measure has been effective. Answer A is incorrect because mitigation of threats and attacks are not related to metrics. Answer B is incorrect because security policies are not related to metrics. Answer D is incorrect; mitigation of vulnerability and risk is not related to metrics. 21. Answer: B. A risk, once identified, can be dealt with in several ways. A risk may be transferred, such as when the risk of equipment loss is covered by a full-replacement insurance policy. Answer A is incorrect because some risks cannot be addressed within a reasonable time, or are cost constrained, and may be accepted, with proper documentation as to the reasons why the risk is acceptable. Answer C is incorrect because some risks can be eliminated through a change in the technology, policy, or mechanism of employment. For example, the risk of war-dialing attacks can be eliminated by removing legacy dial-up telephony modem devices. Answer D is incorrect; most risks fall into the mitigated response area, where the application of additional effort may reduce the risk to a level documented as acceptable. 22. Answer: C. A risk, once identified, can be dealt with in several ways. Some risks can be eliminated through a change in the technology, policy, or mechanism of employment. For example, the risk of war-dialing attacks can be eliminated by removing legacy dial-up telephony modem devices. Answer A is incorrect because some risks cannot be addressed within a reasonable time, or are cost constrained, and may be accepted, with proper documentation as to the reasons why the risk is acceptable. Answer B is incorrect; a risk may be transferred, such as when the risk of equipment loss is covered by a full-replacement insurance policy. Answer D is incorrect; most risks fall into the mitigated response area, where the application of additional effort may reduce the risk to a level documented as acceptable. 23. Answer: D. A risk, once identified, can be dealt with in several ways. Most risks fall into the mitigated response area, where the application of additional effort may reduce the risk to a level documented as acceptable. Answer A is incorrect because some risks cannot be addressed within a reasonable time, or are cost constrained, and may be accepted, with proper documentation as to the reasons why the risk is acceptable. Answer B is incorrect; a risk may be transferred, such as when the risk of equipment loss is covered by a full-replacement insurance policy. Answer C is incorrect because some risks can be eliminated through a change in the technology, policy, or mechanism of employment. For example, the risk of war-dialing attacks can be eliminated by removing legacy dial-up telephony modem devices.
Domain 2.0: Compliance and Operational Security
115
24. Answer: A. A risk, once identified, can be dealt with in several ways. Some risks cannot be addressed within a reasonable time, or are cost constrained, and may be accepted, with proper documentation as to the reasons why the risk is acceptable. Answer B is incorrect; a risk may be transferred, such as when the risk of equipment loss is covered by a full-replacement insurance policy. Answer C is incorrect because some risks can be eliminated through a change in the technology, policy, or mechanism of employment. For example, the risk of war-dialing attacks can be eliminated by removing legacy dial-up telephony modem devices. Answer D is incorrect; most risks fall into the mitigated response area, where the application of additional effort may reduce the risk to a level documented as acceptable. 25. Answer: D. Before any baseline can be established, beyond those developed by regulatory bodies outside of the business entity, a risk assessment must be conducted to identify existing risks and potential mitigation mechanisms. Answer A is incorrect. This is not a good policy and is not included as a risk assessment. Answer B is incorrect; it describes a vulnerability assessment. Answer C is incorrect; personally identifiable information may be part of the risk assessment, but is it not the main purpose. 26. Answer: A. Annual loss expectancy (ALE) equals the single loss expectancy (SLE) times the annualized rate of occurrence (ARO): SLE × ARO = ALE. Based on the previous formula, answers B, C, and D are incorrect. 27. Answer: B. SLE equals asset value multiplied by the threat exposure factor or probability. Answer A is incorrect because it describes return on investment (ROI). Answer C is incorrect because it describes risk. Answer D is incorrect because it describes the annualized rate of occurrence. The ARO is the estimated possibility of specific threat taking place in a one-year time frame. 28. Answer: A. Risk management is the process of identifying and reducing risk to a level that is comfortable, and then implementing controls to maintain that level. Answer B is incorrect because some risks cannot be addressed within a reasonable time, or are cost constrained, and may be accepted, with proper documentation as to the reasons why the risk is acceptable. Answer C is incorrect because risk analysis helps align security objectives with business objectives. Answer D is incorrect; a risk may be transferred, such as when the risk of equipment loss is covered by a full-replacement insurance policy because risk is the possibility of loss or danger. 29. Answer: C. Risk analysis helps align security objectives with business objectives. Risk analysis identifies risks, estimates the impact of potential threats, and identifies ways to reduce the risk without the cost of the prevention outweighing the risk. Answer A is incorrect. Risk management is the process of identifying and reducing risk to a level that is comfortable, and then implementing controls to maintain that level. Answer B is incorrect because some risks cannot be addressed within a reasonable time, or are cost constrained, and may be accepted, with proper documentation as to the reasons why the risk is acceptable. Answer D is incorrect; a risk may be transferred, such as when the risk of equipment loss is covered by a full-replacement insurance policy because risk is the possibility of loss or danger. 30. Answer: C. Risk is the possibility of loss or danger. Answer A is incorrect because the exposure factor or probability is the percentage of loss that a realized threat could have on a certain asset. Answer B is incorrect; the cumulative loss expectancy (CLE) is
116
Chapter 2
a risk model that calculates risk based on single systems. Answer D is incorrect because mitigation comes after risk is identified and assessed. 31. Answer: B. Because qualitative measures are based on subjective values, they are less precise than quantitative measures. Answer A in incorrect because quantitative measures rely on numerical values rather than subjective ones. Answer C is incorrect because qualitative measures are harder to assign numerical values and so more difficult to determine ROI. Answer D is incorrect because each form of analysis has its own benefits and neither is always better in all situations than the other. 32. Answer: C. False positive is a control that allows unauthorized access, identifying the access falsely as valid. Answer A is incorrect because a false negative is a control that refuses authorized access, identifying the access falsely as invalid. Answer B is incorrect because technical controls include logical access control systems, security systems, encryption, and data classification solutions. Answer D is incorrect because management or administrative controls include business and organizational processes and procedures, such as security policies and procedures, personnel background checks, security awareness training, and formal change management procedures. 33. Answer: A. A false negative is a control that refuses authorized access, identifying the access falsely as invalid. Answer B is incorrect because technical controls include logical access control systems, security systems, encryption, and data classification solutions. Answer C is incorrect because false positive is a control that allows unauthorized access, identifying the access falsely as valid. Answer D is incorrect because management or administrative controls include business and organizational processes and procedures, such as security policies and procedures, personnel background checks, security awareness training, and formal change management procedures. 34. Answer: D. Management or administrative controls include business and organizational processes and procedures, such as security policies and procedures, personnel background checks, security awareness training, and formal change management procedures. Answer A is incorrect because logical controls are the same as technical controls. Answer B is incorrect because technical controls include logical access control systems, security systems, encryption, and data classification solutions. Answer C is incorrect because physical controls form the outer line of defense against direct access to data, such as protection of backup media, securing output and mobile file storage devices, and facility design details such as layout, doors, guards, locks, and surveillance systems. 35. Answer: C. Physical controls form the outer line of defense against direct access to data, such as protection of backup media, securing output and mobile file storage devices, and facility design details such as layout, doors, guards, locks, and surveillance systems. Answer A is incorrect because logical controls are the same as technical controls. Answer B is incorrect because technical controls include logical access control systems, security systems, encryption, and data classification solutions. Answer D is incorrect because management or administrative controls include business and organizational processes and procedures, such as security policies and procedures, personnel background checks, security awareness training, and formal change management procedures.
Domain 2.0: Compliance and Operational Security
117
Objective 2.2: Carry out appropriate risk mitigation strategies. 1. Answer: A, B, D. During the process of risk assessment, it is necessary to review many areas, such as the following: methods of access, authentication schemes, audit policies, hiring and release procedures, isolated services that may provide a single point of failure or avenue of compromise, and data or services requiring special backup or automatic failover support. Answer C is incorrect. Financial records review is not a necessary part of risk assessment, but how well that data is protected may be. 2. Answer: D. Return on investment is the ratio of money realized or unrealized on an investment relative to the amount of money invested. Answer A is incorrect because it describes risk analysis. Answer B is incorrect because it describes risk management. Answer C is incorrect because it describes return on capital. 3. Answer: B. Return on investment is equal to the loss prevented minus the cost of solution. If the result of this formula is a negative number, you spent more than the loss prevented. Therefore, answer A is incorrect. Answers C and D are incorrect because depending on what the investment is, it may or may not be a good investment and might be necessary due to regulations. 4. Answer: C. The exposure factor or probability is the percentage of loss that a realized threat could have on a certain asset. Answer A is incorrect because it describes vulnerability. Answer B is incorrect because it describes reduced risk on investment. Answer D is incorrect because it describes annual rate of occurrence. 5. Answer: C. A change management policy specifies details about system changes, such as the files being replaced, the configuration being changed, and the machines or operating systems affected. Answer A is incorrect because an organization’s information sensitivity policy will define requirements for the classification and security of data and hardware resources based on their relative level of sensitivity. Answer B is incorrect because an acceptable use policy provides details that specify what users may do with their network access. Answer D is incorrect because a computer security policy defines the goals and elements of an organization’s computer systems. 6. Answer: B. The Audit Use policy tracks potential resources at risk within your networking environment. These resources might typically include sensitive files, financial applications, and personnel files. Answer A is incorrect because the privacy policy covers PII protection requirements and practices. Answer C is incorrect because change management applies to network changes. Answer D is incorrect because it deals with information storage and is not related to network access use. 7. Answer: C. Degaussing involves exposing the media to a powerful electromagnetic device, erasing all magnetic variation within the media. Answer A is incorrect because overwriting involves the sequential writing of 1s and 0s to mask previously stored data and does not reduce all magnetic flux in the media to zero. Answer B is incorrect because destruction involves physical destruction of the storage device rather than only magnetic degaussing. Answer D is incorrect because declassification is a formal process for assessing the risk involved with discarding information, rather than media sanitization itself.
118
Chapter 2
8. Answer: A. When configuring an audit policy, it is important to monitor successful and failed access attempts. Failure events allow you to identify unauthorized access attempts; successful events can reveal an accidental or intentional escalation of access rights. Answers B and C are incorrect because they will not provide you with a full picture of all access attempts. Answer D is incorrect because not auditing login attempts can hinder any type of investigation. 9. Answer: B. Sanitization is the process whereby fully cleared media is extremely difficult if not impossible to restore. Answer A is incorrect because overwriting involves the sequential writing of 1s and 0s to mask previously stored data and does not reduce all magnetic flux in the media to zero. Answer C is incorrect because destruction involves physical destruction of the storage device rather than only magnetic degaussing. Answer D is incorrect because declassification is formal process for assessing the risk involved with discarding information, rather than media sanitization itself. 10. Answer: D. Incident response policies should include the identification of required forensic and data-gathering procedures and proper reporting and recovery procedures for each type of security-related incident. Answer A is incorrect because the privacy policy covers PII protection requirements and practices. Answer B is incorrect because audit policies track access to network resources. Answer C is incorrect because it deals with information storage and is not related to network access use.
Objective 2.3: Execute appropriate incident response procedures. 1. Answer: D. Computer forensics review involves the application of investigative and analytical techniques to acquire and protect potential legal evidence. Answer A is incorrect; due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer B is incorrect because a chain of custody is the documentation of all transfers of evidence from one person to another. Answer C is incorrect because due process is the concept that laws and legal proceedings must be fair. 2. Answer: B. A chain of custody tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed. Answer A is incorrect; due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. Answer C is incorrect because due process is the concept that laws and legal proceedings must be fair. Answer D is incorrect because computer forensics review involves the application of investigative and analytical techniques to acquire and protect potential legal evidence. 3. Answer: A, C. The major concepts behind computer forensics are to identify the evidence, determine how to preserve the evidence, extract, process, and interpret the evidence, and ensure that the evidence is acceptable in a court of law. Answers B and D are incorrect; identification and prosecution of the suspect are left to law enforcement.
Domain 2.0: Compliance and Operational Security
119
4. Answer: B. A chain of custody tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed. Answer A is incorrect; a disaster recovery plan is a written document that defines how the organization will recover from a disaster and how to restore business with minimum delay. Answer C is incorrect because due process is the concept that laws and legal proceedings must be fair. Answer D is incorrect; due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. 5. Answer: D. The entire work area is a potential crime scene, not just the computer itself. There might be evidence such as removable media, voicemail messages, or handwritten notes. The work area should be secured and protected to maintain the integrity of the area. Under no circumstances should you touch the computer or should anyone be allowed to remove any items from the scene. Based on this information, answers A, B, and C are incorrect. 6. Answer: A. If you are an untrained first responder, touch nothing and contact someone trained in these matters for help. Although it seems that simply viewing the files or directories on a system would not change the original media, merely browsing a file can change it. Based on this information, answers B, C, and D are incorrect. 7. Answer: C. When the response team has determined that an incident occurred, the next step in incident analysis involves taking a comprehensive look at the incident activity to determine the scope, priority, and threat of the incident. Answer A is incorrect; the press should not be contacted unless it is absolutely necessary, and then only after the scope has been determined. Answer B is incorrect because affected vendors should be contacted only after the scope has been determined. Answer D is incorrect because the risk cannot be mitigated until the scope is determined. 8. Answer: B. In keeping with the severity of the incident, the organization can act to mitigate the impact of the incident by containing it and eventually restoring operations back to normal. Answers A, C, and D are incorrect; analysis, remediation, and reporting happen after containment. 9. Answer: C. Request For Comments (RFC) 2350, “Expectations for Computer Security Incident Response,” spells out the expectations for computer security incident response. This RFC can be helpful in formulating organizational best practices for reporting and disclosure. Answer A is incorrect; organizational best practices for reporting and disclosure are not found in operating system manuals. Answer B is incorrect; FBI Investigative Guidelines are the guidelines on general crimes, national security investigative guidelines, and the confidential supplemental foreign intelligence guidelines. Answer D is incorrect because RFC 50 is comments on the Meyer Proposal. 10. Answer: B. It is important to accurately determine the cause of each incident so that it can be fully contained and the exploited vulnerabilities can be mitigated to prevent similar incidents from occurring in the future. Answer A is incorrect; the incident response plan would be updated, not the disaster recovery plan. Answer C is incorrect; apprehension and prosecution is the job of law enforcement. Answer D is incorrect; depending on the incident, press and vendor notification may not be necessary.
120
Chapter 2
Objective 2.4: Explain the importance of security related awareness and training. 1. Answer: D. For best protection, proper security technologies and techniques must be deployed at the client side, the server side, and the enterprise level. Ideally, users should not be able to directly access email attachments from within the email application. However, the best defense is user education. Answer A is incorrect; S/MIME is a standard for public key encryption and signing of email. Answer B is incorrect because antivirus software cannot identify phishing scams. Answer C is incorrect because email filtering cannot catch all unwanted email. 2. Answer: C. Equipment sometimes is put in the garbage because city laws do not require special disposal. Because intruders know this, they can scavenge through discarded equipment and documents, called dumpster diving, and extract sensitive information from it without ever contacting anyone in the company. Answer A is incorrect; health hazards are a concern; however, the real danger is the organizational information that is readily accessible. Answer B is incorrect; social engineering is a process by which an attacker may extract useful information from users who are often tricked into helping the attacker. Answer D is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. 3. Answer: C. Equipment sometimes is put in the garbage because city laws do not require special disposal. Because intruders know this, they can scavenge through discarded equipment and documents, called dumpster diving, and extract sensitive information from it without ever contacting anyone in the company. Answer A is incorrect; fire hazards are a concern. However, the real danger is the organizational information that is readily accessible. Answer B is incorrect because social engineering is a process by which an attacker may extract useful information from users who are often tricked into helping the attacker. Answer D is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. 4. Answer: B. The immediate solution to prevent shoulder surfing is to shield paperwork or your keypad from view by using your body or cupping your hand. Biometrics and gaze-based password entry makes gleaning password information difficult for the unaided observer while retaining the simplicity and ease of use for the user. Answer A is incorrect because it is an immediate solution, not the best defense. Answer C is incorrect because security guards won’t necessarily prevent shoulder surfing. Answer D is incorrect because switching to deadbolts is not a viable solution. 5. Answer: A. Reverse social engineering involves an attacker convincing the user that he is a legitimate IT authority, causing the user to solicit his assistance. Answer B is incorrect because denial of service is a type of network attack. Answer C is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Answer D is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually email.
Domain 2.0: Compliance and Operational Security
121
6. Answer: B. A clean desk policy provides guidance for data sanitization of the work environment. Answer A is incorrect because the data handling training would be focused on how to manage data stored on organizational systems rather than personal ones. Answer C is incorrect because situational awareness training involves developing strategies and skills for dealing with physical access violations and similar events rather than addressing which personal technologies are appropriate and how they should be used properly. Answer D is incorrect because personal technology training covers social networks, peer-to-peer networking, and mobile technologies owned by the employees but present in the workplace. 7. Answer: A, B. Social engineering attacks involve tricking a user into providing the attacker with access rights or operational details. Answer C is incorrect because packet sniffing is a form of a network security threat. Answer D is incorrect because this is a physical access control risk rather than social engineering. 8. Answer: C. Management training should focus on the ramifications of social engineering, such as the liability of the company when a breach happens, the financial damage that can happen, and how this can affect the reputation or credibility of the company. Answer A is incorrect because the user-based training will be more prevention oriented. Answer B is incorrect because to focus the training on costs rather than benefits is not promoting education. Answer D is incorrect because this training will be technical. 9. Answer: B, C, D. Planning, training, regular reminders, and firm and clear security policies are important when you’re attempting to minimize vulnerabilities created by social engineering. Answer A is incorrect; security posters might be a part of training, but are not an essential element. 10. Answer: A, D. Some guidelines for information to be included in user training may consist of the following points: how to address someone who has her hands full and asks for help getting into a secure area, how to react to someone who has piggybacked into the building, what to say to a vice president who has forgotten his password and needs it right away, and what to do when an administrator calls and asks for a user’s password. Answer B is incorrect; this is a part of fire safety education. Answer C is incorrect; virus education should be addressed separately from security awareness training. 11. Answer: D. ISO 17799, particularly sections 7 and 8, has established standards for dealing with the proper disposal of obsolete hardware. Answer A is incorrect; Sarbanes-Oxley (SOX) governs financial and accounting disclosure information. Answer B is incorrect; ISO 9000 is a family of standards for quality management systems. Answer C is incorrect; the IEEE specifications are the central source for standardization in a broad range of emerging technologies. 12. Answer: A, B, D. Breaches of health and safety requirements, inadequate disposal planning results in severe business loss, remnants of legacy data from old systems that may still be accessible, and disposal of old equipment that is necessary to read archived data should be considered when formulating a policy on the secure disposal of outdated equipment. Answer C is incorrect because it is addressing a cost, not a disposal consideration.
122
Chapter 2
13. Answer: B. Sanitization is the process of removing the contents from the media as fully as possible, making it extremely difficult to restore. Answer A is incorrect because declassification is a formal process of assessing the risk involved in discarding particular information. Answer C is incorrect because degaussing is a method that uses an electrical device to reduce the magnetic flux density of the storage media to zero. Answer D is incorrect because destruction is the process of physically destroying the media and the information stored on it. 14. Answer: A. Strong password policies help protect the network from hackers and define the responsibilities of users who have been given access to company resources. Answer B is incorrect; if the passwords are too difficult to remember, users will write them down and post them on monitors, keyboards, and any number of easyto-find places. Answer C is incorrect because enabling Store Passwords Using Reversible Encryption is essentially the same as storing passwords in plaintext, which is unsecure and not recommended. The purpose of this policy setting is to provide support for applications that use protocols that require knowledge of the user’s password for authentication purposes. Answer D is incorrect because default passwords can easily be guessed by an intruder. 15. Answer: C. After the change has been requested, documented, and approved, you should then send out notification to the users so that they will know what to expect when the change has been implemented. Therefore, Answer A is incorrect; notification happens before implementation. Answer B is incorrect; often management doesn’t need notification. Answer D is incorrect; after changes are approved, there should not be workarounds. 16. Answer: C. Personal technologies training should cover social networks, peer-to-peer networking, and mobile technologies owned by the employees but present in the workplace. Answer A is incorrect because the clean desk policy provides guidance for data sanitization of the work environment. Answer B is incorrect because the data handling training would be focused on how to manage data stored on organizational systems rather than personal ones. Answer D is incorrect because situational awareness training involves developing strategies and skills for dealing with physical security threats. 17. Answer: B. Proprietary classification is internal information that defines the way in which the organization operates. Security should be high. Answer A is incorrect because top-secret classification is highly sensitive internal documents and data. This is the highest security level possible. Answer C is incorrect because internal use only classification is information that is unlikely to result in financial loss or serious damage to the organization. This is a restricted but normal security level. Answer D is incorrect because public documents classification is information in the public domain. This is a minimal security level. 18. Answer: A. Top-secret classification is highly sensitive internal documents and data. This is the highest security level possible. Answer B is incorrect because proprietary classification is internal information that defines the way in which the organization operates. Security should be high. Answer C is incorrect because internal use only classification is information that is unlikely to result in financial loss or serious damage to the organization. This is a restricted but normal security level. Answer D is
Domain 2.0: Compliance and Operational Security
123
incorrect because public documents classification is information in the public domain. This is a minimal security level. 19. Answer: C. Internal use only classification is information that is unlikely to result in financial loss or serious damage to the organization. This is a restricted but normal security level. Answer A is incorrect because top-secret classification is for highly sensitive internal documents and data. This is the highest security level possible. Answer B is incorrect because proprietary classification is internal information that defines the way in which the organization operates. Security should be high. Answer D is incorrect because public documents classification is information in the public domain. This is a minimal security level. 20. Answer: B. Training should include details of the organization’s clean desk policy, encouraging users to avoid jotting down hard-to-recall passphrases, details from electronic systems that may contain PII, or why taping a list of their logons and passwords under their keyboard is a bad idea. Answer A is incorrect because an organization’s information sensitivity policy will define requirements for the classification and security of data and hardware resources based on their relative level of sensitivity. Answer C is incorrect because a change management policy specifies details about system changes, such as the files being replaced, the configuration being changed, and the machines or operating systems affected. Answer D is incorrect; a computer security policy defines the goals for securing and protecting an organization’s computer systems.
Objective 2.5: Compare and contrast aspects of business continuity. 1. Answer: D. Business continuity planning is a more comprehensive approach to providing guidance so the organization can continue making sales and collecting revenue. As with disaster recovery planning, it covers natural and man-made disasters. Based on this information, answers A, B, and C are incorrect. 2. Answer: C. A disaster recovery plan is a written document that defines how the organization will recover from a disaster and how to restore business with minimum delay. Answer A is incorrect because an impact analysis is an analytic process that aims to reveal business and operational impacts stemming from any number of incidents or events. Answer B is incorrect because business continuity planning is a comprehensive approach to providing guidance so that the organization can continue making sales and collecting revenue. Answer D is incorrect because a risk analysis helps determine which security controls are appropriate and cost effective. 3. Answer: A, D. Restoration planning documentation, backup scheduling, and backup media must include protections against unauthorized access or potential damage and critical procedures should be properly documented so that another equally trained individual can manage the restoration process. Answer B is incorrect; although this is convenient, it is not secure. Answer C is incorrect because this information does not belong in the employee manual.
124
Chapter 2
4. Answer: B. A common practice is to have removable storage media locked in a proper safe or container at the end of the day. Answer A is incorrect; although this is convenient, it is not secure. Answer C is incorrect because this information does not belong in the desk of the HR manager. Answer D is incorrect because storing backup tapes in the home of the IT manager is a liability for the organization. 5. Answer: A, C. Business continuity planning should identify required services, such as network access and utility agreements, and arrange for automatic failover of critical services to redundant offsite systems. Answers B and D are incorrect because they are part of disaster recovery planning. 6. Answer: A. Clear lines of succession and cross-training in critical functions are critical to meeting recovery time (RTO) and recovery point objectives (RPOs), together with communications plans for alternative mechanisms of contact to alert individuals as to the need for succession. Answers B, C, and D are incorrect because they are not the main purpose of recovery point objectives. 7. Answer: B, C, D. To determine the number of single points of failure in the organization, start with a good map of everything the organization uses to operate. Pay special attention to items such as the Internet connection, routers, switches, and proprietary business equipment. Answer A is incorrect because local desktop connections are not a single point of failure. 8. Answer: C. The BIA is not focused as much on the relative likelihood of potential threats to an organization but instead focuses on the relative impact on critical business functions due to the loss of operational capability due to the threats. Answer A is incorrect because identifying required business services is part of business continuity planning. Answers B and D are incorrect because they are part of disaster recovery planning. 9. Answer: A. Another way to increase availability is server clustering. A server cluster is the combination of two or more servers so that they appear as one. This clustering increases availability by ensuring that if a server is out of commission because of failure or planned downtime, another server in the cluster takes over the workload. Answers B, C, and D all deal with hard disks and will not provide availability if the system board dies. 10. Answer: D. A system restoration plan should include procedures on what to do if a disgruntled employee changes an administrative password before leaving. Answer A is incorrect because an impact analysis is an analytic process that aims to reveal business and operational impacts stemming from any number of incidents or events. Answer B is incorrect because a disaster recovery plan is a written document that defines how the organization will recover from a disaster and how to restore business with minimum delay. Answer C is incorrect because change documentation includes specific details in regard to system changes, such as the files being replaced, the configuration being changed, and the machines or operating systems affected.
Domain 2.0: Compliance and Operational Security
125
Objective 2.6: Explain the impact and proper use of environmental controls. 1. Answer: B. The pipe in the wet-pipe system has water under pressure in it at all times. Answer A is incorrect because dry-pipe systems work in exactly the same fashion as wet-pipe systems, except that the pipes are filled with pressurized air rather than water. Conventional deluge and preaction fire protection systems include a control valve, commonly called a deluge valve, which normally prevents water from flowing into a sprinkler line. Therefore, answers C and D are incorrect. 2. Answer: D. A wet-pipe system constantly has water in it. In dry-pipe systems, water is used but is held back by a valve until a certain temperature is reached. Therefore, answers A, B, and C are incorrect. 3. Answer: C. Class A fires are trash, wood, and paper. Answer A is incorrect because Class C fires are energized electrical equipment, electrical fire. Answer B is incorrect because Class B fires are flammable liquids, gases, and greases. Answer D is incorrect because Class D fires are fires that involve combustible metals such as magnesium, titanium, and sodium. 4. Answer: A, C. With UTP and STP, an inherent danger lies in the fact that it is easy to add devices to the network via open ports on unsecured hubs and switches. Answer B is incorrect because coax cables have no physical transmission security and are very simple to tap without interrupting regular transmissions or being noticed. Answer D is incorrect because it is impossible to tap fiber without interrupting the service and using specially constructed equipment. This makes it more difficult to eavesdrop or steal service. 5. Answer: A. Class C fires are energized electrical equipment, electrical fire. Answer B is incorrect because Class B fires are flammable liquids, gases, and greases. Answer C is incorrect. Class A fires are trash, wood, and paper. Answer D is incorrect. Class D fires are fires that involve combustible metals such as magnesium, titanium, and sodium. 6. Answer: D. Class D fires are fires that involve combustible metals such as magnesium, titanium, and sodium. Answer A is incorrect because Class C fires are energized electrical equipment, electrical fire. Answer B is incorrect because Class B fires are flammable liquids, gases, and greases. Answer C is incorrect because Class A fires are trash, wood, and paper. 7. Answer: B. Class B fires, which are flammable liquids, gases, and greases, are usually put out using foam. Answer A is incorrect; for Class A fires, which are trash, wood, and paper, water will decrease the fire’s temperature and extinguish its flames. Answer C is incorrect because the two types of extinguishing agents for Class D fires are sodium chloride and a copper-based dry powder. Answer D is incorrect; Class C fires, which are energized electrical equipment, electrical fire, and burning wires, are put out using extinguishers based on carbon dioxide or halon. 8. Answer: A. For Class A fires, which are trash, wood, and paper, water will decrease the fire’s temperature and extinguish its flames. Answer B is incorrect. Class B fires, which are flammable liquids, gases, and greases, are usually put out using foam. Answer C is incorrect because the two types of extinguishing agents for Class D fires
126
Chapter 2
are sodium chloride and a copper-based dry powder. Answer D is incorrect; Class C fires, which are energized electrical equipment, electrical fire, and burning wires, are put out using extinguishers based on carbon dioxide or halon. 9. Answer: D. Class C fires, which are energized electrical equipment, electrical fire, and burning wires, are put out using extinguishers based on carbon dioxide or halon. Answer A is incorrect. For Class A fires, which are trash, wood, and paper, water will decrease the fire’s temperature and extinguish its flames. Answer B is incorrect; Class B fires, which are flammable liquids, gases, and greases, are usually put out using foam. Answer C is incorrect because the two types of extinguishing agents for Class D fires are sodium chloride and a copper-based dry powder. 10. Answer: C. The two types of extinguishing agents for Class D fires are sodium chloride and a copper-based dry powder. Answer A is incorrect. For Class A fires, which are trash, wood, and paper, water will decrease the fire’s temperature and extinguish its flames. Answer B is incorrect; Class B fires, which are flammable liquids, gases, and greases, are usually put out using foam. Answer D is incorrect; Class C fires, which are energized electrical equipment, electrical fire, and burning wires, are put out using extinguishers based on carbon dioxide or halon. 11. Answer: D. In 1987, an international agreement known as the Montreal Protocol mandated, because of emissions, the phase out of halons in developed countries by the year 2000 and in less-developed countries by 2010. Therefore, carbon dioxide extinguishers have replaced halon ones. They don’t leave a harmful residue, making them a good choice for an electrical fire on a computer or other electronic devices. Based on this information, answers A, B, and C are incorrect. 12. Answer: A, C, D. When choosing a location for a building, an organization should investigate the type of neighborhood, population, crime rate, and emergency response times. Answer B is incorrect because the proximity to an electronic store may be a consideration, but it should not one of the deciding factors. 13. Answer: A. One of the reasons for using a dry-pipe system is that when the outside temperature drops below freezing, any water in the pipes will freeze, causing them to burst. Therefore, answer B is incorrect. Answer C is incorrect because deluge systems are used in places that are considered high hazard areas, such as power plants, aircraft hangars, and chemical storage or processing facilities. Deluge systems are needed where high velocity suppression is necessary to prevent fire spread. Answer D is incorrect; conventional preaction systems are relatively complex and expensive, tending to preclude the benefits of their use in low-cost, water-sensitive applications such as small areas, and residential applications where the need to avoid inadvertent water damage is as important as providing protection against fire damage. 14. Answer: B. Overcooling causes condensation on equipment, and too dry leads to excessive static. Therefore, answer D is incorrect. Answers A and C are incorrect because electromagnetic interference (EMI), also called radio frequency interference (RFI), is a disturbance that affects an electrical circuit due to either electromagnetic conduction or electromagnetic radiation emitted from an external source.
Domain 2.0: Compliance and Operational Security
127
15. Answer: D. Overcooling causes condensation on equipment, and too dry leads to excessive static. Therefore, Answer B is incorrect. Answers A and C are incorrect because electromagnetic interference (EMI), also called radio frequency interference (RFI), is a disturbance that affects an electrical circuit due to either electromagnetic conduction or electromagnetic radiation emitted from an external source. 16. Answer: A. A high level of humidity can cause components to rust and degrade electrical resistance or thermal conductivity. Answer B is incorrect because a low level of humidity can subject components to electrostatic discharge (ESD), causing damage. Answer C is incorrect because EMF is associated with the electricity that comes out of every power socket and higher-frequency radio waves that create electromagnetic fields. Answer D is incorrect because solidification is the crystallization of a large amount of material from a single point of nucleation resulting in a single crystal. 17. Answer: D. It is impossible to tap fiber without interrupting the service and using specially constructed equipment. This makes it more difficult to eavesdrop or steal service. Answers A and C are incorrect. With UTP and STP, an inherent danger lies in the fact that it is easy to add devices to the network via open ports on unsecured hubs and switches. Answer B is incorrect because coax cables have no physical transmission security and are very simple to tap without interrupting regular transmissions or being noticed. 18. Answer: C. An efficient way to protect a large quantity of equipment from electronic eavesdropping is to place the equipment into a well-grounded metal box called a Faraday cage. Answer A is incorrect; an electron configuration table is a type of code that describes how many electrons are in each energy level of an atom and how the electrons are arranged within each energy level. Answer B is incorrect because EMF is associated with the electricity that comes out of every power socket and higherfrequency radio waves that create electromagnetic fields. Answer D is incorrect because TEMPEST can be costly to implement, and protecting an area within a building makes more sense than protecting individual pieces of equipment. 19. Answer: D. You are most likely to find TEMPEST equipment in government, military, and corporate environments that process government/military classified information. Answer A is incorrect; an electron configuration table is a type of code that describes how many electrons are in each energy level of an atom and how the electrons are arranged within each energy level. Answer B is incorrect because EMF is associated with the electricity that comes out of every power socket and higher-frequency radio waves that create electromagnetic fields. Answer C is incorrect because although a Faraday cage is an option, it protects an area within a building, not individual pieces of equipment. 20. Answer: B. Coax cables have no physical transmission security and are very simple to tap without interrupting regular transmissions or being noticed. Answers A and C are incorrect; both UTP and STP are possible to tap, although it is physically a little trickier than tapping coax cable because of the physical structure of STP and UTP cable. Answer D is incorrect because it is impossible to tap fiber without interrupting the service and using specially constructed equipment. This makes it more difficult to eavesdrop or steal service.
128
Chapter 2
Objective 2.7: Execute disaster recovery plans and procedures. 1. Answer: A. A hot site is similar to the original site in that it has all the equipment needed for the organization to continue operations. This type of site is similar to the original site in that it is equipped with all necessary hardware, software, network, and Internet connectivity fully installed, configured, and operational. Answer B is incorrect because a warm site is a scaled-down version of a hot site. The site is generally configured with power, phone, and network jacks. The site may have computers and other resources, but they are not configured and ready to go. Answer C is incorrect because a cold site does not provide any equipment. These sites are merely a prearranged request to use facilities if needed. Electricity, bathrooms, and space are about the only facilities provided in a cold site contract. Answer D is incorrect because a mirror site is an exact copy of another Internet site. 2. Answer: C. A cold site does not provide any equipment. These sites are merely a prearranged request to use facilities if needed. Electricity, bathrooms, and space are about the only facilities provided in a cold site contract. Answer A is incorrect. A hot site is similar to the original site in that it has all the equipment needed for the organization to continue operations. This type of site is similar to the original site in that it is equipped with all necessary hardware, software, network, and Internet connectivity fully installed, configured, and operational. Answer B is incorrect because a warm site is a scaled-down version of a hot site. The site is generally configured with power, phone, and network jacks. The site may have computers and other resources, but they are not configured and ready to go. Answer D is incorrect because a mirror site is an exact copy of another Internet site. 3. Answer: C. A cold site is the weakest of the recovery plan options but also the cheapest. These sites are merely a prearranged request to use facilities if needed. Electricity, bathrooms, and space are about the only facilities provided in a cold site contract. Answer A is incorrect. A hot site is similar to the original site in that it has all the equipment needed for the organization to continue operations, such as hardware and furnishings. Answer B is incorrect because a warm site is a scaled-down version of a hot site. The site is generally configured with power, phone, and network jacks. The site may have computers and other resources, but they are not configured and ready to go. Answer D is incorrect because a mirror site is an exact copy of another Internet site. 4. Answer: B. A warm site is a scaled-down version of a hot site. The site is generally configured with power, phone, and network jacks. The site may have computers and other resources, but they are not configured and ready to go. Answer A is incorrect. A hot site is similar to the original site in that it has all the equipment needed for the organization to continue operations, such as hardware and furnishings. Answer C is incorrect because a cold site does not provide any equipment. These sites are merely a prearranged request to use facilities if needed. Answer D is incorrect because a mirror site is an exact copy of another Internet site. 5. Answer: B. A warm site is a scaled-down version of a hot site. The site may have computers and other resources, but they are not configured and ready to go. It is assumed that the organization itself will configure the devices, install applications, and
Domain 2.0: Compliance and Operational Security
129
activate resources or that it will contract with a third party for these services. Answer A is incorrect because a hot site is similar to the original site in that it has all the equipment needed for the organization to continue operations, such as hardware and furnishings. Answer C is incorrect because a cold site does not provide any equipment. These sites are merely a prearranged request to use facilities if needed. Answer D is incorrect because a mirror site is an exact copy of another Internet site. 6. Answer: A. A hot site is a site location that is already running and is available 7 days a week for 24 hours per day. Answer B is incorrect because a warm site is a scaleddown version of a hot site. The site is generally configured with power, phone, and network jacks. The site may have computers and other resources, but they are not configured and ready to go. Answer C is incorrect because a cold site does not provide any equipment. These sites are merely a prearranged request to use facilities if needed. Answer D is incorrect because a mirror site is an exact copy of another Internet site. 7. Answer: A. A hot site is similar to the original site in that it has all the equipment needed for the organization to continue operations. This type of site is similar to the original site in that it is equipped with all necessary hardware, software, network, and Internet connectivity fully installed, configured, and operational. Hot sites are traditionally more expensive, but they can be used for operations and recovery testing before an actual catastrophic event occurs. Answer B is incorrect because a warm site is a scaled-down version of a hot site. The site is generally configured with power, phone, and network jacks. Answer C is incorrect because a cold site does not provide any equipment. These sites are merely a prearranged request to use facilities if needed. Answer D is incorrect because a mirror site is an exact copy of another Internet site. 8. Answer: B. Backup power is a power supply that will run the power for your organization in the case of a power outage. This can be done through the use of a gas-powered generator. A generator can be used for rolling blackouts, emergency blackouts, or electrical problems. Answer A is incorrect because an interruptible power supply protects the environment from damaging fluctuations in power and cannot sustain power outages for a long period of time. Answer C is incorrect because most electric companies only service one area. If it is possible to contract with another service provider, the cost will most likely be prohibitive. Answer D is incorrect because RAID does not protect against electrical failures. 9. Answer: A. Brownouts are short-term decreases in voltage levels that most often occur when motors are started or are triggered by faults on the utility provider’s system. To protect your environment from such damaging fluctuations in power, always connect your sensitive electronic equipment to power conditioners, surge protectors, and a UPS, which provides the best protection of all. Answer B is incorrect because a generator is used for rolling blackouts, emergency blackouts, or electrical problems. Answer C is incorrect because most electric companies service only one area. If it is possible to contract with another service provider, the cost will most likely be prohibitive. Answer D is incorrect because RAID does not protect against electrical failures. 10. Answer: A. Power variations called noise are also referred to as electromagnetic interference (EMI). To protect your environment from such damaging fluctuations in power, always connect your sensitive electronic equipment to power conditioners, surge protectors, and a UPS, which provides the best protection of all. Answer B is incorrect
130
Chapter 2
because a generator is used for rolling blackouts, emergency blackouts, or electrical problems. Answer C is incorrect because most electric companies service only one area. If it is possible to contract with another service provider, the cost will most likely be prohibitive. Answer D is incorrect because RAID does not protect against electrical failures. 11. Answer: B. Backup power is a power supply that will run the power for your organization in the case of a power outage. This can be done through the use of a gas-powered generator. A generator can be used for rolling blackouts, emergency blackouts, or electrical problems. Answer A is incorrect because an interruptible power supply protects the environment from damaging fluctuations in power and cannot sustain power levels for a long period of time. Answer C is incorrect because most electric companies service only one area. If it is possible to contract with another service provider, the cost will most likely be prohibitive. Answer D is incorrect because RAID does not protect against electrical failures. 12. Answer: D. In a continuous UPS, also called an “online” UPS, the computer is always running off of battery power, and the battery is continuously being recharged. There is no switchover time, and these supplies generally provide the best isolation from power line problems. Answer A is incorrect. A surge protector is designed to protect electrical devices from voltage spikes by limiting the surge to acceptable levels that electronic equipment can handle. This device does not regulate or supply any power in the event of sags. Answer B is incorrect. A standby power supply (SPS) is also referred to as an “offline” UPS. In this type of supply, power usually derives directly from the power line, until power fails. Answer C is incorrect because a ferroresonant UPS system maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. 13. Answer: C. A ferroresonant UPS system maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. Answer A is incorrect; a surge protector is designed to protect electrical devices from voltage spikes, not supply power. Answer B is incorrect; a standby power supply (SPS) is also referred to as an “offline” UPS. In this type of supply, power usually derives directly from the power line, until power fails. Answer D is incorrect; in a continuous UPS, also called an “online” UPS, the computer is always running off of battery power, and the battery is continuously being recharged. There is no switchover time, and these supplies generally provide the best isolation from power line problems. 14. Answer: B. A standby power supply (SPS) is also referred to as an “offline” UPS. In this type of supply, power usually derives directly from the power line, until power fails. Answer A is incorrect because a surge protector is designed to protect electrical devices from voltage spikes, not supply power. Answer C is incorrect; a ferroresonant UPS system maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. Answer D is incorrect; in a continuous UPS, also called an “online” UPS, the computer is always running off of battery power, and the battery is continuously being recharged. There is no switchover time, and these supplies generally provide the best isolation from power line problems. 15. Answer: C. If the majority of your business is telephone based, you might look for redundancy in the phone system as opposed to the ISP. Therefore, Answer B is incorrect. Answer A is incorrect because if the servers failed, phone donations could still be
Domain 2.0: Compliance and Operational Security
131
taken via pen and paper. Answer D is incorrect because although data disk redundancy for the storage of data is important, without a phone system, the business could not function. 16. Answer: B. If all your business is web based, to provide continued customer access it is a good idea to have some redundancy in the event the Internet connection goes down. Answer A is incorrect because if one of the servers failed, business could still be conducted. Answer C is incorrect. If the majority of your business is telephone based, you might look for redundancy in the phone system as opposed to the ISP, and this is not the case. Answer D is incorrect because although data disk redundancy for the storage of data is important, without an Internet connection, the business could not function. 17. Answer: D. The primary function of the business is to provide a backup service. Without data disk redundancy, the business could not operate. Answer A is incorrect because if one of the servers failed, business could be conducted. Answer B is incorrect because the main business purpose is to provide backup service. The temporary loss of the Internet connection going down is not as damaging as losing a data disk. Answer C is incorrect; if the majority of your business is telephone based, you might look for redundancy in the phone system, and this is not the case. 18. Answer: A. It might be necessary to set up redundant servers so that the business can still function in the event of hardware or software failure. If a single server hosts vital applications, a simple equipment failure might result in days of downtime as the problem is repaired. Answer B is incorrect; the main business purpose is to provide data warehousing. The temporary loss of the Internet connection going down is not as damaging as losing a vital server. Answer C is incorrect because if the majority of your business is telephone based, you might look for redundancy in the phone system, and this is not the case. Answer D is incorrect because although data disk redundancy for the storage of data is important, the business could still function if a disk was lost. 19. Answer: B. Neglecting single points of failure can prove disastrous. A single point of failure is any piece of equipment that can bring your operation down if it stops working. Based on this, the Internet connection would be the single point of failure. Answers A, C, and D are incorrect; there is more than one of each of these pieces of equipment, so they are not single points of failure. 20. Answer: A. RAID Level 0 is a striped disk array without fault tolerance. Answer B is incorrect. RAID Level 1 is mirroring and duplexing. This solution requires a minimum of two disks and offers 100% redundancy because all data is written to both disks. Answer C is incorrect; RAID Level 5 consists of independent data disks with distributed parity blocks. In RAID 5, each entire block of the data and the parity is striped. Answer D is incorrect; RAID Level 10 is high reliability combined with high performance. This solution is a striped array that has RAID 1 arrays. 21. Answer: D. RAID Level 10 is high reliability combined with high performance. This solution is a striped array that has RAID 1 arrays. Answer A is incorrect because RAID Level 0 is a striped disk array without fault tolerance. Answer B is incorrect because RAID Level 1 is mirroring and duplexing. This solution requires a minimum of two disks and offers 100% redundancy because all data is written to both disks. Answer C is incorrect because RAID Level 5 consists of independent data disks with distributed parity blocks. In RAID 5, each entire block of the data and the parity is striped.
132
Chapter 2
22. Answer: C. In RAID 5, each entire block of the data and the parity is striped. Because it writes both the data and the parity over all the disks, it has the best small read/large write performance of any redundancy disk array. Answer A is incorrect because RAID Level 0 is a striped disk array without fault tolerance. Answer B is incorrect because RAID Level 1 is mirroring and duplexing. This solution requires a minimum of two disks and offers 100% redundancy because all data is written to both disks. Answer D is incorrect; RAID Level 10 is high reliability combined with high performance. This solution is a striped array that has RAID 1 arrays. 23. Answer: B. RAID Level 1 is mirroring and duplexing. This solution requires a minimum of two disks and offers 100% redundancy because all data is written to both disks. RAID 1 disk usage is 50% and the other 50% is for redundancy. Answer A is incorrect because RAID Level 0 is a striped disk array without fault tolerance. Answer C is incorrect because RAID Level 5 consists of independent data disks with distributed parity blocks. In RAID 5, each entire block of the data and the parity is striped. Answer D is incorrect because RAID Level 10 is high reliability combined with high performance. This solution is a striped array that has RAID 1 arrays. 24. Answer: C. In the event of a disaster, an organization might also need to restore equipment (in addition to data). One of the best ways to ensure the availability of replacement parts is through service level agreements (SLAs). Answer A is incorrect because this solution consumes space and does not ensure that correct replacement parts will be available. Answers B and D are incorrect; they are too costly. 25. Answer: B. In disaster recovery planning, you might need to consider redundant connections between branches or sites. Because the records must be available between offices, this is the single point of failure that requires redundancy. Based on this information, answers A, C, and D are incorrect. 26. Answer: C. Saturday’s full backup must be installed, followed by Monday’s incremental backup, and finally Tuesday morning’s incremental backup. This will recover all data as of 3:00 a.m. Tuesday morning. Answer A is incorrect because a full backup Tuesday morning would be required to allow a single tape recovery of all data. Answer B is incorrect because A differential backup on Tuesday morning would be required in addition to the full backup so that only two backup tapes would be needed. Answer D is incorrect because four tapes would not be required. 27. Answer: B. A differential backup on Thursday morning would be required in addition to the full backup so that only two backup tapes would be needed. Answer A is incorrect because a full backup Thursday morning would be required to allow a single tape recovery of all data. Answer C is incorrect; Saturday’s full backup must be installed, followed by Monday’s, Tuesday’s, Wednesday’s, and Thursday’s incremental backup tapes. Answer D is incorrect because four tapes would not be required. 28. Answer: D. In the event of a total loss of data, restoration from a full backup will be faster than other methods. Answers A and B are incorrect; each of these methods will require more than one tape and take longer than restoring from a full backup. Answer C is incorrect because a copy backup copies all the selected files, but does not mark the files as having been backed up. This backup type is useful for backing up single files between normal and incremental backups because it does not affect these operations.
Domain 2.0: Compliance and Operational Security
133
29. Answer: A. Grandfather-father-son backup refers to the most common rotation scheme for rotating backup media. Originally designed for tape backup, it works well for any hierarchical backup strategy. The basic method is to define three sets of backups, such as daily, weekly, and monthly. Answers B and C are incorrect; neither of these are valid backup methods. Answer D is incorrect because the Tower of Hanoi is based on the mathematics of the Tower of Hanoi puzzle, with what is essentially a recursive method. 30. Answer: D. The Tower of Hanoi is based on the mathematics of the Tower of Hanoi puzzle, with what is essentially a recursive method. It is a “smart” way of archiving an effective number of backups and provides the ability to go back over time. The Tower of Hanoi is more difficult to implement and manage but costs less than the grandfather-father-son scheme. Answer A is incorrect; grandfather-father-son backup refers to the most common rotation scheme for rotating backup media. Originally designed for tape backup, it works well for any hierarchical backup strategy. Answer B is incorrect because ten-tape rotation is a simpler and more cost-effective method for small businesses. It provides a data history of up to two weeks. Answer C is incorrect; this is not a valid backup method.
Objective 2.8: Exemplify the concepts of confidentiality, integrity, and availability. 1. Answer: A. Confidentiality is concerned with the unauthorized disclosure of sensitive information. Answer B is incorrect; integrity pertains to preventing unauthorized modifications of information or systems. Answer C is incorrect; authorization is the function of specifying access rights to resources. Answer D is incorrect; availability is about maintaining continuous operations and preventing service disruptions. 2. Answer: B. Integrity pertains to preventing unauthorized modifications of information or systems. Answer A is incorrect; confidentiality is concerned with the unauthorized disclosure of sensitive information. Answer C is incorrect; authorization is the function of specifying access rights to resources. Answer D is incorrect; availability is about maintaining continuous operations and preventing service disruptions. 3. Answer: D. Availability is about maintaining continuous operations and preventing service disruptions. Answer A is incorrect; confidentiality is concerned with the unauthorized disclosure of sensitive information. Answer B is incorrect; integrity pertains to preventing unauthorized modifications of information or systems. Answer C is incorrect; authorization is the function of specifying access rights to resources. 4. Answer: A, C. Pretty Good Privacy (PGP) is a computer program used for signing, encrypting, and decrypting email messages. PGP is used to send and receive emails in a confidential, secure fashion. Answer B is incorrect. Availability is about maintaining continuous operations and preventing service disruptions. Answer D is incorrect; authorization is the function of specifying access rights to resources. 5. Answer: A. Integrity is the assurance that data and information can be modified only by those authorized to do so. Answer B is incorrect; availability refers to the accessibility of information and information systems, when they are needed. Answer C is
134
Chapter 2
incorrect; confidentiality describes the act of limiting disclosure of private information. Answer D is incorrect because authorization is the function of specifying access rights to resources. 6. Answer: C. Confidentiality describes the act of limiting disclosure of private information. Answer A is incorrect; integrity is the assurance that data and information can be modified only by those authorized to do so. Answer B is incorrect; availability refers to the accessibility of information and information systems, when they are needed. Answer D is incorrect because authorization is the function of specifying access rights to resources. 7. Answer: B. Availability refers to the accessibility of information and information systems, when they are needed. Answer A is incorrect; integrity is the assurance that data and information can be modified only by those authorized to do so. Answer C is incorrect; confidentiality describes the act of limiting disclosure of private information. Answer D is incorrect because authorization is the function of specifying access rights to resources. 8. Answer: C, D. Environmental controls such as antistatic carpeting aid in protecting against system failure and so preserve availability of data and services. Physical access controls protect against system theft, destruction, or damage. Answer A is incorrect because firewalls restrict access data and services, and although deletion is possible, this control is focused on preserving confidentiality and integrity. Answer B is incorrect because mirrored windows protect confidentiality by preventing observation of displayed data, user keystrokes, and other information of potential interest. 9. Answer: B. Malware defenses such as antivirus services protect the confidentiality and integrity of data by eliminating viral agents that could otherwise capture keystrokes, relay webcam audio/video, or modify data and services. Answers A and D are incorrect because malware defenses are not focused on the preservation of data and service availability, beyond preventing outright wipe of the infected system. Answer C is incorrect because accuracy and reliability are data qualities within the Integrity principle, not directly parts of the C-I-A Triad. 10. Answer: C, D. Regular password expiration protects against re-use of compromised passwords and mitigates brute-force attacks by changing keys before all combinations can be tested. These actions protect access controls over data review and modification, preserving confidentiality and integrity of data. Answer B is incorrect because password expiration does not directly impact data and service availability. Similarly, answer A is incorrect because data longevity is unrelated to passwords and exists only as business operations allow. Some data may be updated many times every minute, while other data remains static for years.
3
CHAPTER THREE
Domain 3.0: Threats and Vulnerabilities Securing your resources is a challenge in any working environment. After all, resources are now commonly attacked through software, hardware, and peripherals. Domain 3 of the Security+ exam requires that you understand how to identify and minimize system threats to thwart would-be attackers and that you recognize the different types of assessment tools that are available to discover security threats and vulnerabilities. Be sure to give yourself plenty of time to review all these concepts because there are quite a few. The following list identifies the key areas from Domain 3.0 (which counts as 21% of the exam) that you need to master: . Analyze and differentiate among types of malware . Analyze and differentiate among types of attacks . Analyze and differentiate among types of social
engineering attacks . Analyze and differentiate among types of wireless
attacks . Analyze and differentiate among types of application
attacks . Analyze and differentiate among types of mitigation
and deterrent techniques . Implement assessment tools and techniques to discover
security threats and vulnerabilities . Within the realm of vulnerability assessments,
explain the proper use of penetration testing versus vulnerability scanning
136
Chapter 3
✓
Quick Check
Practice Questions Objective 3.1: Analyze and differentiate among types of malware. 1. Which of the following is the most common result of a buffer overflow?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180 Detailed Answer: 184
Privilege escalation Disguised malicious programs Code replication Collection of personal data
2. Which of the following best describes a virus?
❍
A. An action that exceeds the storage-space allocation of an application
❍ ❍
B. A program disguised as a useful application
Quick Answer: 180 Detailed Answer: 184
C. A program designed to attach itself to other code and replicate
❍ D. Software that communicates information from a user’s system without notifying the user 3. Which of the following is best describes a Trojan?
❍
A. It infects other systems only after a user executes the application that it is buried in.
❍
B. It sends messages to a computer with an IP address indicating that the message is coming from a trusted host.
❍
C. It collects personal information, or changes your computer configuration without appropriately obtaining prior consent.
Quick Answer: 180 Detailed Answer: 184
❍ D. It is self-replicating and therefore needs no user intervention. 4. Which of the following best describes a rootkit?
❍ ❍
A. Software used for the collection of personal data B. Software hidden on a computer for the purpose of compromising the system
Quick Answer: 180 Detailed Answer: 185
Domain 3.0: Threats and Vulnerabilities
137
✓
Quick Check
❍
C. Software that provides the originator with the venue to propagate
❍ D. Software that reports data such as surfing habits and sites visited 5. Which of the following is considered a worm?
❍ A. ❍ B. ❍ C. ❍ D.
Melissa
Detailed Answer: 185
Acid Rain Code Red Mocmex
6. A disgruntled employee creates a utility for purging old emails from the server. Inside the utility is code that will erase the server’s hard drive contents on January 1, 2012. This is an example of which of the following attacks?
❍
Quick Answer: 180
Quick Answer: 180 Detailed Answer: 185
A. Virus
❍ B. Logic bomb ❍ C. Spoofing ❍ D. Trojan horse 7. Which of the following best describes spyware?
❍ ❍
A. Software used for the collection of personal data
❍
C. Software that provides the originator with the venue to propagate
Quick Answer: 180 Detailed Answer: 185
B. Software hidden on a computer for the purpose of compromising the system
❍ D. Software that reports data such as surfing habits and sites visited 8. Which of the following is the best reason not to request to be removed from a mailing list in a reply to an unsolicited email?
❍ ❍
A. It allows the sender to spoof your email address.
❍
C. It verifies that you have a legitimate, working email address.
B. It is a waste of time because the sender very seldom removes you from the list.
❍ D. It allows the sender to collect personal data.
Quick Answer: 180 Detailed Answer: 185
138
Chapter 3
✓
Quick Check
9. Which of the following are methods by which email spam lists are created? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Scanning newsgroup postings Stealing Internet mailing lists Stealing user email address books
Trojan Logic bomb Quick Answer: 180 Detailed Answer: 186
Spyware Virus Trojan Worm Quick Answer: 180 Detailed Answer: 186
Spyware Virus Trojan Worm
13. Which of the following is a type of malware associated with collecting personal information without appropriately obtaining prior consent?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 186
Virus
12. Which of the following is a type of malware that is disguised as a useful application?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
Buffer overflow
11. Which of the following best describes malware that takes advantage of a security hole, and then automatically replicates to other systems running the same software?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 185
Searching the Web for addresses
10. Which of the following best describes programming errors that result in allowing someone to gain unauthorized administrative access?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
Spyware Virus Trojan Worm
Quick Answer: 180 Detailed Answer: 186
Domain 3.0: Threats and Vulnerabilities
139
✓
Quick Check
14. Which of the following is a type of malware hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges?
❍ A. ❍ B. ❍ C. ❍ D.
Spam Adware Rootkit
Adware Rootkit Quick Answer: 180 Detailed Answer: 187
They must be updated regularly. They can detect rootkits. They can detect botnets. They do not have to be updated. Quick Answer: 180 Detailed Answer: 187
They are malicious. They can remain undetected. They can execute code. They are remotely controlled.
18. Which of the following is also referred to as slag code?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 187
Botnet
17. Which of the following best describes the primary security issue with botnets?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
Logic bomb
16. Which of the following is true with regard to antispyware programs?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 187
Spyware
15. Which of the following is a type of malware that provides the spam or virus originator with a venue to propagate?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
Logic bomb Botnet Adware Rootkit
Quick Answer: 180 Detailed Answer: 187
140
Chapter 3
✓
Quick Check
19. A buffer overflow can result in which of the following? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
A denial of service Automatic code replication to other hosts Execution of arbitrary code at a privileged level
Detailed Answer: 188
Polynomial Stealth Covert
Can change each time it is executed to avoid detection
Quick Answer: 180 Detailed Answer: 188
Uses techniques to avoid detection Is placed into the first sector of the hard drive Infects executable program files and becomes active in memory
22. Which of the following is another name for a botnet?
❍
Quick Answer: 180
Polymorphic
21. Which of the following best describes a boot sector virus?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 187
Overwriting of data or memory storage
20. Which of the following are virus types? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
A. Privilege escalation
Quick Answer: 180 Detailed Answer: 188
❍ B. Global hook ❍ C. Honeynet ❍ D. Zombie army 23. Which of the following is most like spyware?
❍ A. ❍ B. ❍ C. ❍ D.
Virus
Detailed Answer: 188
Trojan Spam Worm
24. Which of the following best describes what rootkits use for stealth activity?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
Global hooks Tracking software/adware Privilege escalation Social engineering
Quick Answer: 180 Detailed Answer: 188
Domain 3.0: Threats and Vulnerabilities
141
✓
Quick Check
25. Which of the following is the most effective method to avoid rootkit infection?
❍
A. Never responding to the sender of an unsolicited email message
❍
B. Running operating systems from an account with lesser privileges
❍
C. Properly disabling the accounts of all terminated employees
Quick Answer: 180 Detailed Answer: 188
❍ D. Only downloading trusted applications 26. Which of the following best describes a botnet?
❍
A. A program designed to execute malicious actions when a certain event occurs or a period of time goes by
❍
B. A large number of programs disguised as useful applications
❍
C. A large number of computers that forward transmissions to other computers on the Internet
Quick Answer: 180 Detailed Answer: 188
❍ D. Exploitation in software code that takes advantage of a programming flaw 27. Which of the following terms is most closely related to software exploitation that crashes the system and leaves it in a state where arbitrary code can be executed?
❍
Quick Answer: 180 Detailed Answer: 189
A. Logic bomb
❍ B. Privilege escalation ❍ C. Spam ❍ D. Trojan 28. Which of the following are the most effective ways to prevent an attacker from exploiting software? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 189
Apply current patches Do not allow Internet access Apply current service packs Monitor the Web for newly discovered vulnerabilities
29. Which of the following virus is a hybrid of boot and program viruses?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
Polymorphic Macro Stealth Multipartite
Quick Answer: 180 Detailed Answer: 189
142
Chapter 3
✓
Quick Check
30. Which of the following malware finds other systems running the same vulnerable software and then replicates itself without any user interaction?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180 Detailed Answer: 189
Virus Trojan Worm Logic bomb
31. Which of the following is the main difference between a Trojan and a virus?
❍
A. A Trojan requires user interaction and a virus does not.
❍ ❍
B. A Trojan does not replicate itself and a virus does.
Quick Answer: 180 Detailed Answer: 189
C. A virus does not require user interaction and a Trojan does.
❍ D. A virus does not replicate itself and a Trojan does. 32. Which of the following are indications that a computer may contain spyware? (Select all correct answers.)
❍ ❍
A. The browser home page changes.
❍
C. Clicking a link does nothing or goes to an unexpected website.
Quick Answer: 180 Detailed Answer: 189
B. It takes a long time for the Windows desktop to come up.
❍ D. The email inbox contains an unsolicited email message. 33. Which of the following are acceptable ways of dealing with spam? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 190
Delete the email without opening it. Reply back and try to identify the spammer. Turn off the preview function of your email software. Immediately call the local law enforcement office.
34. Which of the following are ways a rootkit can be installed? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
By accessing documents on the local intranet. Included as part of software package. An unpatched vulnerability. The user downloads it.
Quick Answer: 180 Detailed Answer: 190
Domain 3.0: Threats and Vulnerabilities
143
✓
Quick Check
35. Which of the following is a type of malware that can use encryption to protect outbound communications and piggyback on commonly used ports to communicate without interrupting other applications that use that port?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 190
Logic bomb Botnet Adware Rootkit
36. The system administrator abruptly leaves the organization after being passed over for a promotion. Two weeks later, employees report they cannot access files. It has been determined that at midnight the system suddenly began deleting files. Which of the following is the most likely type of malicious code that caused this event?
❍ ❍
Quick Answer: 180
Quick Answer: 180 Detailed Answer: 190
A. Logic bomb B. Botnet
❍ C. Adware ❍ D. Rootkit 37. Which of the following would best describe the type of malicious code that enters a system through a freeware program that the user installed?
❍ ❍
Quick Answer: 180 Detailed Answer: 190
A. Virus B. Trojan
❍ C. Worm ❍ D. Logic bomb 38. Which of the following type of virus avoids antivirus software detection by changing form each time it is executed?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 190
Polymorphic Macro Stealth Multipartite
39. Which of the following is an automated computer program controlled by outside sources with the intention of forwarding transmissions to other computers on the Internet?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
Logic bomb Adware Bot Virus
Quick Answer: 180 Detailed Answer: 191
144
Chapter 3
✓
Quick Check
40. Which of the following are steps taken to protect a network from malicious code? (Select all correct answers.)
❍
A. Do not use any type of removable media from another user without first scanning the disk.
❍
B. Open all attachments sent to you by people you might know.
❍
C. Install firewalls or intrusion-prevention systems on client machines.
Quick Answer: 180 Detailed Answer: 191
❍ D. Subscribe to security newsgroups.
Objective 3.2: Analyze and differentiate among types of attacks. 1. Which of the following ports should be blocked when it has been determined that an intruder has been using Telnet for unauthorized access?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 191
110 21 23 443
2. Which of the following ports should be blocked when it has been determined that an intruder has been using SNMP for unauthorized access? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
Quick Answer: 180 Detailed Answer: 191
161 162 443 4445
3. Which of the following best describes TCP/IP hijacking?
❍
A. Providing false identity information to gain unauthorized access
❍
B. An established connection without specifying a username or password
❍
C. An attacker takes control of a session between the server and a client
❍ D. Redirecting traffic by changing the IP record for a specific domain
Quick Answer: 180 Detailed Answer: 191
Domain 3.0: Threats and Vulnerabilities
145
✓
Quick Check
4. Which of the following best describes spoofing?
❍
A. Providing false identity information to gain unauthorized access
❍
B. An established connection without specifying a username or password
❍
C. An attacker takes control of a session between the server and a client
Quick Answer: 180 Detailed Answer: 191
❍ D. Redirecting traffic by changing the IP record for a specific domain 5. Which of the following best describes a null session?
❍
A. Providing false identity information to gain unauthorized access
❍
B. An established connection without specifying a username or password
❍
C. An attacker takes control of a session between the server and a client
Quick Answer: 180 Detailed Answer: 192
❍ D. Redirecting traffic by changing the IP record for a specific domain 6. Which of the following best describes DNS poisoning?
❍
A. Providing false identity information to gain unauthorized access
❍
B. An established connection without specifying a username or password
❍
C. An attacker taking control of a session between the server and a client
Quick Answer: 180 Detailed Answer: 192
❍ D. Redirecting traffic by changing the IP record for a specific domain 7. Which of the following best describes a man-in-the-middle attack?
❍
A. An attacker takes advantage of the add/grace period to monopolize names without ever paying for them.
❍
B. Packets are captured, the pertinent information is extracted, and then packets are placed back on the network.
❍
C. An attack that typically involves flooding a listening port on a machine with packets to disrupt service.
❍ D. An attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
Quick Answer: 180 Detailed Answer: 192
146
Chapter 3
✓
Quick Check
8. Which of the following best describes a replay attack?
❍
A. An attacker takes advantage of the add/grace period to monopolize names without ever paying for them.
❍
B. Packets are captured, the pertinent information is extracted, and then packets are placed back on the network.
❍
C. An attack that typically involves flooding a listening port on a machine with packets to disrupt service.
Quick Answer: 180 Detailed Answer: 192
❍ D. An attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. 9. Which of the following best describes a DDoS attack?
❍
A. An attacker takes advantage of the add/grace period to monopolize names without ever paying for them.
❍
B. Packets are captured, the pertinent information is extracted, and then packets are placed back on the network.
❍
C. An attack that typically involves flooding a listening port on a machine with packets to disrupt the resources.
Quick Answer: 180 Detailed Answer: 192
❍ D. An attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. 10. Which of the following methods can be used to mitigate DDoS attacks? (Select all correct answers.)
❍
A. Setting up filters on external routers to drop all ICMP packets
❍
B. Reducing the amount of time before the reset of an unfinished TCP connection
❍
C. Increasing the amount of time before the reset of an unfinished TCP connection
Quick Answer: 180 Detailed Answer: 192
❍ D. Setting up a filter that denies traffic originating from the Internet that shows an internal network address 11. Which of the following best describes ARP poisoning?
❍ A. ❍ B. ❍ C. ❍ D.
Broadcasting a fake reply to an entire network Changing the IP record for a specific domain Sending fragmented UDP packets Distributing zombie software
Quick Answer: 180 Detailed Answer: 193
Domain 3.0: Threats and Vulnerabilities
147
✓
Quick Check
12. Which of the following attacks is associated with services using an interprocess communication share such as network file and print-sharing services?
❍ A. ❍ B. ❍ C. ❍ D.
Null sessions ARP poisoning DNS kiting
Man-in-the-middle Denial of service Quick Answer: 180 Detailed Answer: 193
DNS spoofing ARP poisoning Man-in-the-middle Denial of service Quick Answer: 180 Detailed Answer: 193
The sessions are not terminated properly. The connection is not authenticated. The connection is not encrypted. The sessions are remotely controlled.
16. Which of the following is the most effective way to reduce null session vulnerability?
❍
Detailed Answer: 193
ARP poisoning
15. Which of the following best describes the primary security issue with null sessions?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
DNS spoofing
14 Which of the following type of attacks is most likely being executed when an unauthorized service is relaying information to a source outside the network?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 193
DNS spoofing
13. Which of the following sends hundreds of ICMP packets to the host to block or reduce activity?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
A. Reducing the reset time of an unfinished TCP connection
❍ B. Using the signing capabilities of certificates ❍ C. Setting up filters to drop all ICMP packets ❍ D. Disabling NetBIOS over TCP/IP
Quick Answer: 180 Detailed Answer: 193
148
Chapter 3
✓
Quick Check
17. Which of the following are effective ways to mitigate spoofing attacks? (Select all correct answers.)
❍
A. Editing the Registry on Windows-based computers to restrict anonymous access
❍
B. Using IPsec to secure transmissions between critical servers and clients
❍
C. Denying traffic originating from the Internet that shows an internal network address
Quick Answer: 180 Detailed Answer: 194
❍ D. Using the signing capabilities of certificates on servers and clients 18. Which of the following is the most effective method to mitigate session hijacking?
❍
A. Denying traffic originating from the Internet that shows an internal network address
❍
B. Forcing users to reauthenticate before allowing transactions to occur
❍
C. Reducing the amount of time before the reset of an unfinished TCP connection
Quick Answer: 180 Detailed Answer: 194
❍ D. Setting up filters on external routers to drop all incoming ICMP packets 19. When mitigating null session vulnerability, which of the following ports should be closed? (Select all correct answers.)
❍
Quick Answer: 180 Detailed Answer: 194
A. 161
❍ B. 162 ❍ C. 139 ❍ D. 445 20. Which of the following sessions can typically result in a man-in-the-middle attack? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Telnet Wireless Email Samba
Quick Answer: 180 Detailed Answer: 194
Domain 3.0: Threats and Vulnerabilities
149
✓
Quick Check
21. Which of the following are ways to minimize the effects of DNS poisoning when hosting your own DNS? (Select all correct answers.)
❍ ❍
A. Checking that the hosting server is not open-recursive
❍
C. Using different servers for authoritative and recursive lookups
Quick Answer: 180 Detailed Answer: 194
B. Running operating systems from an account with lesser privileges
❍ D. Disabling recursive access for networks to resolve names that are not in zone files 22. Which of the following are the most effective methods to mitigate ARP poisoning on a large network? (Select all correct answers.)
❍ ❍ ❍
Quick Answer: 180 Detailed Answer: 194
A. Using equipment that offers port security B. Using static mapping for IP addresses and ARP tables C. Using script-based mapping for IP addresses and ARP tables
❍ D. Deploying monitoring tools or an intrusion detection system (IDS) 23. Which of the following best describes privilege escalation?
❍ ❍ ❍
A. A default set of user credentials
Quick Answer: 180 Detailed Answer: 195
B. Data transmitted that can be easily sniffed C. Accidental or intentional access to resources
❍ D. Application code functions allowing unauthorized access 24. Which of the following best describes a back door?
❍ A. ❍ B. ❍ C. ❍ D.
A default set of user credentials
Detailed Answer: 195
Data transmitted that can be easily sniffed Accidental or intentional access to resources Application code functions allowing unauthorized access
25. In a corporate environment, which of the following is most vulnerable to DoS attacks?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
Internal user systems Network resources Network storage Internal servers
Quick Answer: 180 Detailed Answer: 195
150
Chapter 3
✓
Quick Check
26. Which of the following best describes a denial-of-service (DoS) attack?
❍
A. Intentional access to resources not intended for access by the user
❍
B. Application code functions that allow unauthorized access to network resources
❍
C. Attempt to block access by overwhelming network availability
Quick Answer: 180 Detailed Answer: 195
❍ D. Attempt to directly access the resources through unauthorized means 27. Which of the following is the best method to mitigate attacks against networking devices and services installed with a default set of user credentials?
❍ ❍
Quick Answer: 180 Detailed Answer: 195
A. Replacing them on an as-needed basis B. Replacing them when an attack has been detected
❍ C. Replacing them with unique strong logon credentials ❍ D. Replacing them with the same strong logon credential 28. Which of the following is the most common origin of back doors?
❍ A. ❍ B. ❍ C. ❍ D.
Created during application development Created during user interface testing Created during implementation
Quick Answer: 180 Detailed Answer: 196
Land survey Building inspection OSHA inspection Site survey
30. Which of the following is most closely linked to privilege escalation?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 196
Created during system certification
29. Which of the following should be performed when implementing distributed wireless network configurations spanning multiple buildings or open natural areas?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 180
SSID broadcast Application flaws Application development Automated attacks
Quick Answer: 180 Detailed Answer: 196
Domain 3.0: Threats and Vulnerabilities
151
✓
Quick Check
31. Which of the following is most closely linked to weak passwords?
❍ A. ❍ B. ❍ C. ❍ D.
SSID broadcast Application development Automated attacks
SSID broadcast
Quick Answer: 181 Detailed Answer: 197
Application flaws Application development Automated attacks
33. Which of the following is most closely linked to default accounts?
❍ ❍
Detailed Answer: 196
Application flaws
32. Which of the following is most closely linked to back doors?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
A. Network resources
Quick Answer: 181 Detailed Answer: 197
B. Application flaws
❍ C. Network credentials ❍ D. Automated attacks 34. Which of the following is most closely linked to denial of service?
❍ ❍ ❍
A. Network resources
Quick Answer: 181 Detailed Answer: 197
B. SSID broadcast C. Network credentials
❍ D. Application development 35. Which of the following best describes the situation where User A can read User B’s email without specific authorization?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 197
Privilege escalation Default accounts Weak passwords Back door
36. Which of the following best describes the situation where a software designer puts in shortcut entry points to allow rapid code evaluation and testing?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Privilege escalation Default accounts Weak passwords Back door
Quick Answer: 181 Detailed Answer: 198
152
Chapter 3
✓
Quick Check
37. Which of the following attacks are associated with weak passwords? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Automated attacks Social engineering Denial of service
Social engineering Denial of service Quick Answer: 181 Detailed Answer: 199
Spear Phishing Vishing Smishing Pharming Quick Answer: 181 Detailed Answer: 199
Spear Phishing Vishing Smishing Pharming
41. Which of the following is an attack that redirects victims to a bogus website, even if they correctly entered the intended site?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 198
Automated attacks
40. Which of the following is an attack where the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Packet sniffing
39. Which of the following is an email attack that is targeted toward a specific individual?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 198
Packet sniffing
38. Which of the following attacks are associated with fringe service industries such as online casinos?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Spear Phishing Vishing Smishing Pharming
Quick Answer: 181 Detailed Answer: 199
Domain 3.0: Threats and Vulnerabilities
153
✓
Quick Check
42. Which of the following attacks involves using phishing methods through text messaging?
❍ A. ❍ B. ❍ C. ❍ D.
Vishing Smishing Pharming
Detailed Answer: 199
Spim Spam Phishing Quick Answer: 181 Detailed Answer: 200
DNS spoofing Null sessions ARP poisoning Xmas attack
45. Which of the following attacks is accomplished by gaining the trust of a computer that is trusted by the target network?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Vishing
44. Which of the following observing attacks observes how a host responds to an odd TCP/IP packet?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 199
Spear Phishing
43. Which of the following is a type of advertising message that targets users of instant messaging (IM) services?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Packet sniffing Transitive access Social engineering Denial of service
Quick Answer: 181 Detailed Answer: 200
154
Chapter 3
✓
Quick Check
Objective 3.3: Analyze and differentiate among types of social engineering attacks. 1. A help desk employee receives a call from someone who is posing as a technical aide attempting to update some type of information, and asks for identifying user details that may then be used to gain access. Which of the following type of attack has occurred?
❍ A. ❍ B. ❍ C. ❍ D.
Social engineering Phishing Shoulder surfing
Detailed Answer: 200
Social engineering Phishing Shoulder surfing Quick Answer: 181 Detailed Answer: 200
Pharming Hoax Phishing Spam
4. An organization discovers that many employees have been responding to chain letter emails. Which of the following is the greatest concern to the organization?
❍ ❍
Quick Answer: 181
Pharming
3. The help desk is flooded with calls from users that received an email warning them of a new virus. The mail instructed the users to search for and delete several files from their systems. Many of the users who attempted to reboot their systems after deleting the specified files are having difficulties and the machines are not rebooting properly. Which of the following type of attack has occurred?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 200
Pharming
2. A help desk employee receives a call from the administrative assistant. She has received an email stating if she doesn’t respond within 48 hours with certain personal information, the corporate bank account will be closed. Which of the following type of attack has occurred?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
A. Undue burden on resources. B. They may contain viruses.
Quick Answer: 181 Detailed Answer: 201
Domain 3.0: Threats and Vulnerabilities
155
✓
Quick Check
❍ C. Theft of proprietary information. ❍ D. Nothing. Chain letters are harmless. 5. An organization allows employees to access confidential data remotely. Many of the sales staff spend extended time in public places and use this downtime to catch up on work. Which of the following is the greatest concern to the organization?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 201
Virus infection Social engineering Dumpster diving Shoulder surfing
6. Which of the following type of attacks is intended to go after highprofile targets such as an executive within a company?
❍ ❍
Quick Answer: 181
Quick Answer: 181 Detailed Answer: 201
A. Spear Phishing B. Vishing
❍ C. Smishing ❍ D. Whaling 7. An employee receives an automated call from the organization’s bank asking the employee to enter the bank account number and pin on the telephone keypad to verify account information for their records. Which of the following type of attack has occurred?
❍
Quick Answer: 181 Detailed Answer: 201
A. Spear Phishing
❍ B. Vishing ❍ C. Smishing ❍ D. Whaling 8. The employees in the financial department of your organization have received emails from the local credit union, asking them to click on a link inside the email to update their passwords and user IDs because of a recent security breach. Which of the following type of attack has occurred?
❍ A. ❍ B. ❍ C. ❍ D.
Spear Phishing Vishing Smishing Whaling
Quick Answer: 181 Detailed Answer: 201
156
Chapter 3
✓
Quick Check
9. An organization does not have a policy on proper document disposal. When Mary goes outside to empty her trash, a nice young man has been offering to do it for her. Which of the following best describes the attack that is taking place?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 202
Virus infection Social engineering Dumpster diving Shoulder surfing
10. As Joe is about to enter a secured building, a nice young woman runs up behind him, smiles, and follows him into the building without using her own ID. Which of the following type of attack has occurred?
❍ ❍ ❍
Quick Answer: 181
Quick Answer: 181 Detailed Answer: 202
A. Pharming B. Social engineering C. Shoulder surfing
❍ D. Tailgating
Objective 3.4: Analyze and differentiate among types of wireless attacks. 1. Which of the following best describes a major security issue when implementing WAPs?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181 Detailed Answer: 202
WEP is the default encryption. The SSID is broadcast in plain text. They are hard to physically locate. Any node can view the data of another node.
2. Which of the following best describes why data emanation is a security risk in wireless networks? (Select all correct answers.)
❍
A. It uses 802.1x transmissions that generate detectable radio-frequency signals funneled into one direction.
❍
B. Sniffing the data may use many solutions to increase the distance over which detection is possible.
❍
C. Sniffing the data may use many solutions to reduce the distance over which transmission is possible.
❍ D. It uses 802.1x transmissions that generate detectable radio-frequency signals in all directions.
Quick Answer: 181 Detailed Answer: 202
Domain 3.0: Threats and Vulnerabilities
157
✓
Quick Check
3. Which of the following is the primary method to mitigate the vulnerabilities associated with communication over an 802.1x wireless link?
❍ A. ❍ B. ❍ C. ❍ D.
Authentication Encryption Identification Quick Answer: 181 Detailed Answer: 203
Packet sniffing Session hijacking Man-in-the-middle Spam relaying
5. Which best describes why session hijacking is possible in wireless communication?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 203
Authorization
4. Which of the following type of attacks is associated with the use of wireless communication? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Quick Answer: 181 Detailed Answer: 203
There is no authorization mechanism. There is no authentication mechanism. The authentication mechanism is one-way. The authorization mechanism is one-way.
6. Which of the following best describes why a man-in-the-middle attack is possible in wireless communication?
❍
A. The request for connection by the client is a bidirectional open broadcast.
❍
B. The request for connection by the access point is a bidirectional open broadcast.
❍
C. The request for connection by the access point is an omnidirectional open broadcast.
Quick Answer: 181 Detailed Answer: 203
❍ D. The request for connection by the client is an omnidirectional open broadcast. 7. Which of the following best describes war-driving?
❍
A. Driving around with a laptop system configured to listen for open access points
❍
B. Dialing a large range of telephone numbers in search of devices that can be exploited
❍
C. Marking landmarks to indicate the presence of an available access point
❍ D. Accessing an open public WAP for a monthly fee or commission from the end user
Quick Answer: 181 Detailed Answer: 203
158
Chapter 3
✓
Quick Check
8. Which of the following best describes war-chalking?
❍
A. Driving around with a laptop system configured to listen for open access points
❍
B. Dialing a large range of telephone numbers in search of devices that can be exploited
❍
C. Marking landmarks to indicate the presence of an available access point
Quick Answer: 181 Detailed Answer: 203
❍ D. Accessing an open public for a monthly fee or commission from the end user 9. Which of the following best describes bluejacking?
❍
A. Driving around with a laptop configured to listen for open access points
❍
B. Sending broadcast spam from a nearby Bluetoothenabled device
❍
C. Deleting data on a Bluetooth device that has opened a connection
Quick Answer: 181 Detailed Answer: 203
❍ D. Marking landmarks to indicate an available open access point 10. Which of the following best describes bluesnarfing?
❍
A. Driving around with a laptop configured to listen for open access points
❍
B. Sending broadcast spam from a nearby Bluetoothenabled device
❍
C. Deleting data on a Bluetooth device that has opened a connection
Quick Answer: 181 Detailed Answer: 204
❍ D. Marking landmarks to indicate an available open access point 11. Which of the following best describes a WLAN technology that uses Ethernet protocols?
❍ A. ❍ B. ❍ C. ❍ D.
Wi-Fi i-Mode Bluetooth WAP
Quick Answer: 181 Detailed Answer: 204
Domain 3.0: Threats and Vulnerabilities
159
✓
Quick Check
12. Which of the following best describes the situation that allows using reflective tube waveguides such as a Pringle’s can to capture data?
❍ A. ❍ B. ❍ C. ❍ D.
Session hijacking War-driving Data emanation
War-driving Data emanation Quick Answer: 181 Detailed Answer: 205
Weak encryption Session hijacking War-driving Data emanation Quick Answer: 181 Detailed Answer: 205
Bluejacking Bluesnarfing War-driving War-chalking
16. Which of the following best describes the situation that allows an attack aimed at the identification of existing wireless networks, the SSID used, and any known WEP keys?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 204
Session hijacking
15. Which of the following best describes the situation where an attack is aimed at pairing with the attacker’s device for unauthorized access, modification, or deletion of data?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Weak encryption
14. Which of the following best describes what might allow data transacted over an 802.1x wireless link to be passed in clear form?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 204
Weak encryption
13. Which of the following best describes the situation that allows a hijacker to wait until the authentication cycle is completed, then generate a signal that causes the client to think it has been disconnected from the access point?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Weak encryption Session hijacking War-driving Data emanation
Quick Answer: 181 Detailed Answer: 205
160
Chapter 3
✓
Quick Check
17. Which of the following best describes the situation where an attack is aimed at generating messages that appear to be from the device itself?
❍ A. ❍ B. ❍ C. ❍ D.
Bluesnarfing War-driving War-chalking
Detailed Answer: 206
Man-in-the-middle War-driving Data emanation Quick Answer: 181 Detailed Answer: 206
DES WAP AES WEP
20. WSL is equivalent to which of the following layers of the OSI model?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Weak encryption
19. The Wi-Fi Protected Access standards were developed by the Wi-Fi Alliance to replace which of the following?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 205
Bluejacking
18. In which of the following attacks would the implementation of a rogue AP with stronger signal strength than more remote permanent installations be found?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Quick Answer: 181 Detailed Answer: 206
Session Transport Network Presentation
Objective 3.5: Analyze and differentiate among types of application attacks. 1. Which of the following are identified vulnerabilities of the Java language? (Select all correct answers.)
❍ ❍
A. Buffer overflows B. Unauthorized file upload
Quick Answer: 181 Detailed Answer: 206
Domain 3.0: Threats and Vulnerabilities
161
✓
Quick Check
❍ C. Email exposure ❍ D. Unexpected redirection 2. Which of the following most accurately describes how Java applets execute?
❍ ❍
A. When the web server retrieves the directory web page
❍
C. When the client machine’s browser loads the hosting web page
Quick Answer: 181 Detailed Answer: 206
B. When the web server’s browser loads the hosting web page
❍ D. When the operating system loads the hosting web page 3. Which of the following best describes the reason Java applets are a security risk?
❍
Quick Answer: 181 Detailed Answer: 207
A. Java is compiled on the client browser.
❍ B. Java is a precompiled language. ❍ C. Java is compiled by the client operating system. ❍ D. Java applets execute on the hosting web server. 4. Which of the following are identified vulnerabilities of JavaScript? (Select all correct answers.)
❍ ❍
Quick Answer: 181 Detailed Answer: 207
A. Buffer overflows B. Unauthorized file upload
❍ C. Email exposure ❍ D. Unexpected redirection 5. Which of the following is the most effective method to mitigate vulnerabilities exposed by earlier forms of Java?
❍
Quick Answer: 181 Detailed Answer: 207
A. Keeping machines up-to-date with new version releases
❍ B. Disabling third-party browser extensions ❍ C. Setting the pop-up blocker setting to high ❍ D. Enabling Integrated Windows Authentication 6. ActiveX and its controls share many of the same vulnerabilities present in which of the following?
❍ A. ❍ B. ❍ C. ❍ D.
Cookies JavaScript Embedded Java applets Common Gateway Interface script
Quick Answer: 181 Detailed Answer: 207
162
Chapter 3
✓
Quick Check
7. Which of the following is the most realistic method to mitigate having cookies expose long-term browsing habits?
❍ A. ❍ B. ❍ C. ❍ D.
Regularly clearing the browser cookie cache Configuring client browsers to block all cookies Disabling automatic code execution on client browsers
Detailed Answer: 207
Accepting only numeric data input Disabling third-party browser extensions Validating data input
Spyware
Quick Answer: 181 Detailed Answer: 208
Credit Union Trojan Shopping cart
10. Which of the following best describes what the exploitation of Simple Mail Transfer Protocol (SMTP) relay agents is used for?
❍
Quick Answer: 181
Blocking third-party cookies
9. Which of the following is most likely to use a tracking cookie?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 207
Disabling third-party browser extensions
8. Which of the following is the most effective method to mitigate buffer overflows or cross-site scripting attacks?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Quick Answer: 181 Detailed Answer: 208
A. Buffer overflow
❍ B. Logic bomb ❍ C. Spyware ❍ D. Spam 11. Which of the following best describes a tracking cookie?
❍ A. ❍ B. ❍ C. ❍ D.
Beneficial
Detailed Answer: 208
Permanent Temporary Valuable
12. S-HTTP communicates over which of the following ports?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
80 443 110 4445
Quick Answer: 181 Detailed Answer: 208
Domain 3.0: Threats and Vulnerabilities
163
✓
Quick Check
13. HTTPS communicates over which of the following ports?
❍ A. ❍ B. ❍ C. ❍ D.
80 110 4445
Detailed Answer: 208
Small key sizes Outdated CRLs Buffer overflows Quick Answer: 181 Detailed Answer: 209
Ill-formatted requests Small key sizes Outdated CRLs Buffer overflows
16. Which of the following vulnerabilities are associated with FTP? (Select all correct answers.)
❍
Quick Answer: 181
Ill-formatted requests
15. Which of the following vulnerabilities are associated with LDAP? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 208
443
14. Which of the following exploits are associated with SSL certificates? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
Quick Answer: 181 Detailed Answer: 209
A. Buffer overflows
❍ B. Anonymous file access ❍ C. Unencrypted authentication ❍ D. Improper formatted requests 17. FTP over SSL communicates over which of the following ports?
❍ A. ❍ B. ❍ C. ❍ D.
21
Detailed Answer: 209
80 22 81
18. Which of the following are security concerns when allowing IM applications on the network? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 181
The capture of cached logs containing conversations Malware spreading through IM contacts Unauthorized data and video sharing Improper formatted requests
Quick Answer: 181 Detailed Answer: 209
164
Chapter 3
✓
Quick Check
19. Which of the following are exploits for CGI scripts? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Anonymous file access. Arbitrary commands may be executed on the server. Arbitrary commands may be executed on the client.
Buffer overflow Cross-site scripting
Java applets allow access to cache information.
Quick Answer: 182 Detailed Answer: 210
JavaScript can provide access to files of known name. JavaScript runs even after the applet is closed. Java applets can execute arbitrary instructions on the server. Quick Answer: 182 Detailed Answer: 210
Profiling Reporting Abstracting Hyperlinking
23. Which of the following is the most likely reason it is dangerous to maintain cookie session information?
❍ ❍
Detailed Answer: 209
Session hijacking
22. Which of the following is another name for identification of configuration details of the server that may be helpful to later identify unauthorized access attempts?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Unencrypted authentication
21. Which of the following best describes Java or JavaScript?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 209
Buffer overflows.
20. An attacker places code within a web page that redirects the client’s browser to attack yet another site when a client’s browser opens the web page. This is an example of what type of attack?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
A. It provides custom user configuration settings. B. It may expose sensitive information about secured sites.
❍ C. It allows multiple actual connections to a web server. ❍ D. It may allow automatic code execution on client browsers.
Quick Answer: 182 Detailed Answer: 210
Domain 3.0: Threats and Vulnerabilities
165
✓
Quick Check
24. Which of the following are browser-based vulnerabilities? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 210
Session hijacking SQL injection Buffer overflows Social engineering
25. Which of the following is of most concern for a security administrator when allowing peer-to-peer networking?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Quick Answer: 182 Detailed Answer: 210
Buffer-overflow attacks can go unnoticed. Unauthorized file upload to network servers. Connections are negotiated directly between clients. Arbitrary commands may be executed on the server.
Objective 3.6: Analyze and differentiate among types of mitigation and deterrent techniques. 1. Physically unsecured equipment is vulnerable to which of the following type of attacks?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182 Detailed Answer: 210
Brute force Social engineering Malware Rootkits
2. Which of the following is the primary goal of a physical security plan?
❍
A. To deny access to most users allowing only corporate officers
❍
B. To allow access to all visitors without causing undue duress
❍
C. To allow only trusted use of resources via positive identification
❍ D. To deny access to all except users deemed credible
Quick Answer: 182 Detailed Answer: 211
166
Chapter 3
✓
Quick Check
3. Which of the following may be used to prevent an intruder from monitoring users in very high-security areas? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Painted glass Frosted glass Chain-link fencing Quick Answer: 182 Detailed Answer: 211
An area of cleared land surrounding a building An area of bushes surrounding a building A holding area between two entry points A receiver mechanism that reads an access card
5. Which of the following best describes a mantrap?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 211
Picket fencing
4. Which of the best describes the physical area known as no-man’s land?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
An area of cleared land surrounding a building
Quick Answer: 182 Detailed Answer: 211
An area of bushes surrounding a building A holding area between two entry points A receiver mechanism that reads an access card
6. Which of the following best describes the difference between a cipher lock and a wireless lock?
❍
A. A cipher lock is opened by a receiver mechanism, whereas a wireless lock has a punch code entry.
❍
B. A cipher lock is opened with a key, whereas a wireless lock has a remote control mechanism.
❍
C. A cipher lock is opened with a remote control mechanism, whereas a wireless lock is opened with a key.
Quick Answer: 182 Detailed Answer: 211
❍ D. A cipher lock has a punch code entry, whereas a wireless lock is opened by a receiver mechanism. 7. Which of the following type of surveillance would the organization implement if it was required that the parking lot be constantly monitored?
❍ A. ❍ B. ❍ C. ❍ D.
CCTV cameras Security guards Keycard gate Motion detectors
Quick Answer: 182 Detailed Answer: 211
Domain 3.0: Threats and Vulnerabilities
167
✓
Quick Check
8. Which of the following technologies are used in external motion detectors? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182 Detailed Answer: 211
Infrared Sound RFID Ultrasonic
9. Which of the following best describes mandatory physical control?
❍
A. User access is closely monitored and very restricted with no exceptions.
❍
B. Common needs are predetermined, and access is allowed with the same key.
❍
C. Access is delegated to parties responsible for that building or room.
Quick Answer: 182 Detailed Answer: 211
❍ D. Each individual has a unique key that corresponds to his or her access needs. 10. Which of the following best describes role-based physical control?
❍
A. User access is closely monitored and very restricted with no exceptions.
❍
B. Common needs are predetermined and access is allowed with the same key.
❍
C. Access is delegated to parties responsible for that building or room.
Quick Answer: 182 Detailed Answer: 212
❍ D. Each individual has a unique key that corresponds to his or her access need. 11. Which of the following physical safeguards would provide the best protection for a building that houses top-secret sensitive information and systems? (Choose all that apply.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 212
Mantrap No-man’s land Wooden fence Door access system
12. Which of the following physical safeguards would be most commonly implemented in security for banks?
❍ ❍
Quick Answer: 182
A. Mantraps B. Security dogs
Quick Answer: 182 Detailed Answer: 212
168
Chapter 3
✓
Quick Check
❍ C. Painted glass ❍ D. Video surveillance 13. Which of the following is the main security concern of implementing motion detectors?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 212
They can easily be deactivated. They can easily be fooled. They are extremely sensitive. They are extremely expensive.
14. Running which of the following commands is the quickest way to tell which ports are open and which services are running on the machine?
❍ ❍ ❍
Quick Answer: 182
Quick Answer: 182 Detailed Answer: 212
A. netstat B. nbtstat C. ipconfig
❍ D. msconfig 15. Which of the following protocols is used for monitoring the health of network equipment, computer equipment, and devices?
❍ ❍ ❍
Quick Answer: 182 Detailed Answer: 212
A. SNAP B. SMTP C. SDLC
❍ D. SNMP 16. Which of the following are effective ways to protect the network infrastructure from attacks aimed at antiquated or unused ports and protocols? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 212
Keeping only protocols installed by default Allowing traffic only on necessary ports Removing any unnecessary protocols Allowing only traffic requested by users
17. Which of the following would be considered a best practice for improved server performance when deciding where to store log files?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Store in the system directory of a machine in the DMZ Store in the system directory on the local machine Store on a nonsystem striped or mirrored disk volume Store on a nonsystem disk volume on the local machine
Quick Answer: 182 Detailed Answer: 213
Domain 3.0: Threats and Vulnerabilities
169
✓
Quick Check
18. Which of the following would be considered a best security practice when deciding where to store log files?
❍ ❍ ❍
Quick Answer: 182 Detailed Answer: 213
A. Stored in the system directory on the local machine B. Stored in a data directory on a server in the intranet C. Stored in the system directory of a machine in the DMZ
❍ D. Stored in a centralized repository of an offline volume 19. An organization requires the implementation of an enterprise application logging strategy. Which of the following would be a critical analysis consideration when choosing a solution?
❍ A. ❍ B. ❍ C. ❍ D.
Already built-in application logging solutions A solution that uses standard protocols and formats A variety of solutions that each use different formats
Detailed Answer: 213
Identify bottlenecks End processes Investigate attacks Quick Answer: 182 Detailed Answer: 213
Only the user events should be logged. Only pertinent events should be logged. All events should be logged so nothing is missed. Nothing should be logged until there is a need for it.
22. Which of the following would be the first place an administrator would look when troubleshooting UNIX- or Linux-based systems?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Assess content
21. Which of the following most accurately describes best practice for using Microsoft DNS logging?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 213
A proprietary custom-built solution
20. Internet Information Services (IIS) logs can be used for which of the following purposes? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Mtools.conf Msconfig Event Viewer Syslogd
Quick Answer: 182 Detailed Answer: 213
170
Chapter 3
✓
Quick Check
23. Which of the following would be considered best practices for system logging? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
When permissible, encrypt the log files. Store log files on a standalone system. Store log files on individual system data partitions.
Event Viewer Performance Console Quick Answer: 182 Detailed Answer: 214
Internet Information Services logging Critical and error-level logging Authentication and accounting logging Event Viewer Application logging Quick Answer: 182 Detailed Answer: 214
Updates Dropped packets Quarantined viruses Update history
27. An organization primarily contracts workers and is concerned about remote-access usage and remote-authentication attempts. Which of the following would the organization implement to track this type of activity?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 213
Task Manager
26. Which of the following types of logging events are most commonly found in antivirus software? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Network Monitor
25. Which of the following would provide information for troubleshooting remote-access policy issues?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 213
For easy compilation, keep log files in plain text.
24. Which of the following would an administrator use to end applications that get hung up without having to reboot the machine?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Firewall logging RRAS logging IIS logging System logging
Quick Answer: 182 Detailed Answer: 214
Domain 3.0: Threats and Vulnerabilities
171
✓
Quick Check
28.
Which of the following best describes auditing?
❍
A. The process of measuring the performance of a network
❍
B. The process of collecting data to be used for monitoring
❍
C. The process of tracking users and actions on the network
Quick Answer: 182 Detailed Answer: 214
❍ D. The process of observing the state of a system 29. Which of the following are unintended consequences when auditing is not clear-cut or built around the organizational goals and policies? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Important security events are deleted. User hard drives quickly run out of space. System administrators have reduced workloads.
Detailed Answer: 214
Enable auditing within the operating system. Specify the resources to be audited. Specify the audit file storage directory. Quick Answer: 182 Detailed Answer: 214
Group policies Retention policies DHCP events and changes Access use and rights changes
32. Which of the following is true about the auditing of failed logon events and successful login events?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Enable logging within the operating system.
31. An organization has primarily contract workers and is concerned about unauthorized and unintentional access on these accounts. Which of the following would the organization audit to track this type of activity?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 214
Irrelevant information is gathered.
30. A systems administrator is tasked with auditing user privileges. Which of the following steps must be taken? (Select two correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Only failed events should be audited. Only successful events should be audited. Both successful and failed events should be audited. Neither one should be audited unless absolutely necessary.
Quick Answer: 182 Detailed Answer: 214
172
Chapter 3
✓
Quick Check
33. Which of the following best describes the activity that involves collecting information used for monitoring and reviewing purposes?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 215
Auditing Logging Baselining Inspecting
34. Which of the following best describes the unintended consequence of turning on all auditing counters for all objects?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Quick Answer: 182 Detailed Answer: 215
Reduced user productivity Reduced I/O activity on user machines Reduced administrative overhead Reduced server performance
35. Which of the following best describes how settings will actually be applied to an object in a group policy?
❍
A. Individually applied to the object and only from the last policy
❍
B. A combination of all the settings that can affect the object
❍
C. Only from settings within the domain where the object is located
Quick Answer: 182 Detailed Answer: 215
❍ D. A combination of only local group policies that affect the object 36. An administrator is attempting to resolve some issue with multiple group policies on several computers. Which of the following tools would be used to script GPO troubleshooting of multiple computers?
❍ A. ❍ B. ❍ C. ❍ D.
Gpupdate Gpresult Resultant Set of Policy Group Policy object
Quick Answer: 182 Detailed Answer: 215
Domain 3.0: Threats and Vulnerabilities
173
✓
Quick Check
37. Which of the following tools is used to review the effects of Group Policy settings on a particular computer?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 215
Resultant Set of Policy Group Policy object Gpupdate Local Security settings
38. An organization is concerned with unusual activity indicating that an intruder is attempting to gain access to the network. Which of the following event categories should be audited?
❍ ❍
Quick Answer: 182
Quick Answer: 182 Detailed Answer: 215
A. Audit success events in the account management B. Success events in the policy change on domain controllers
❍ C. Success and failure events in the system events ❍ D. Audit success events in the logon event category 39. An organization wants a record of when each user logs on to or logs off from any computer. Which of the following event categories should be audited?
❍
A. Audit success events in the account management event
❍
B. Success events in the policy change on domain controllers
❍
C. Success and failure events in the system events
Quick Answer: 182 Detailed Answer: 215
❍ D. Audit success events in the logon event category 40. An organization wants to verify when users log on to or log off from the domain. Which of the following event categories should be audited?
❍
A. Audit success events in the account management event
❍
B. Success events in the policy change on domain controllers
❍
C. Success events in the account logon on domain controllers
❍ D. Audit success events in the logon event category
Quick Answer: 182 Detailed Answer: 216
174
Chapter 3
✓
Quick Check
Objective 3.7: Implement assessment tools and techniques to discover security threats and vulnerabilities. 1. Which of the following is a software utility that will scan a single machine or a range of IP addresses checking for a response on service connections?
❍ A. ❍ B. ❍ C. ❍ D.
Network mapper Protocol analyzer Vulnerability scanner
Detailed Answer: 216
Network mapper Protocol analyzer Vulnerability scanner Quick Answer: 182 Detailed Answer: 216
Port scanner Network mapper Protocol analyzer Vulnerability scanner
4. Which of the following is a software utility that is used to conduct network assessments over a range of IP addresses and compiles a listing of all systems, devices, and hardware present within a network segment?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Port scanner
3. Which of the following is a software utility that is used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 216
Port scanner
2. Which of the following is a software utility that will scan a range of IP addresses testing for the presence of known weaknesses in software configuration and accessible services?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Port scanner Network mapper Protocol analyzer Vulnerability scanner
Quick Answer: 182 Detailed Answer: 217
Domain 3.0: Threats and Vulnerabilities
175
✓
Quick Check
5. Which of the following best describes the purpose of OVAL?
❍
A. An abstract description for layered communications and computer network protocol design
❍
B. A family of standards dealing with local area networks and metropolitan area networks
❍
C. An international standard setting body composed of representatives from various national standards organizations
Quick Answer: 182 Detailed Answer: 217
❍ D. An international language for representing vulnerability information allowing the development of vulnerability test tools 6. An administrator working in the Department of Homeland Security needs to document standards for the assessment process of systems. Which of the following would be most useful to the administrator?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 217
OVAL IEEE ISO ISSA
7. An organization wants to select an assessment tool for creating an inventory of services hosted on networked systems. Which of the following should the organization choose?
❍
Quick Answer: 182
Quick Answer: 182 Detailed Answer: 217
A. Port scanner
❍ B. Network mapper ❍ C. Protocol analyzer ❍ D. Vulnerability scanner 8. An organization wants to select an assessment tool that will examine individual protocols and specific endpoints. Which of the following should the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Port scanner Network mapper Protocol analyzer Vulnerability scanner
Quick Answer: 182 Detailed Answer: 217
176
Chapter 3
✓
Quick Check
9. An organization wants to select an assessment tool for checking particular versions and patch levels of a service. Which of the following should the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Network mapper Protocol analyzer Vulnerability scanner
Design reviews Attack Surface determination Quick Answer: 182 Detailed Answer: 218
Architecture reviews Code reviews Design reviews Attack Surface determination Quick Answer: 182 Detailed Answer: 218
Architecture reviews Code reviews Design reviews Attack Surface determination
13. When using a password cracker to test mandatory complexity guidelines, which of the following should the password cracker provide?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 218
Code reviews
12. Which of the following assessment techniques typically provides the capability to identify faulty components and interaction between various elements?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Architecture reviews
11. Which of the following refers to the amount of running code, services, and user-interaction fields and interfaces?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 218
Port scanner
10. Which of the following assessment techniques are typically conducted using automated software programs designed to check code, as well as manual human checks, by someone not associated with development?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
The password only The password and hash value The username and password The strength of the password
Quick Answer: 182 Detailed Answer: 219
Domain 3.0: Threats and Vulnerabilities
177
✓
Quick Check
14. An organization wants to select an assessment tool that will report information used to identify single points of failure. Which of the following should the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 219
Port scanner Network mapper Protocol analyzer Vulnerability scanner
15. Which of the following tools is often referred to as a packet sniffer?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 182
Quick Answer: 182 Detailed Answer: 219
Port scanner Network mapper Protocol analyzer Vulnerability scanner
Objective 3.8: Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning. 1. Which of the following is best described as a friendly attack against a network to test the security measures put into place?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 219
Vulnerability assessment Penetration test Security assessment Compliance test
2. Which of the following are the most serious downsides to conducting a penetration test? (Select all correct answers.)
❍
Quick Answer: 183
A. They can cause some disruption to network operations.
❍ B. The help desk can be flooded by affected users. ❍ C. They can generate false data in IDS systems. ❍ D. External users can have difficulty accessing resources.
Quick Answer: 183 Detailed Answer: 220
178
Chapter 3
✓
Quick Check
3. Which of the following is true about inexperienced internal systems administrators performing penetration tests against the organizational network? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
It is a bad practice. It may be a violation of privacy laws. It does not violate any privacy laws.
They are separate functions. They are complementary. Quick Answer: 183 Detailed Answer: 220
It can conceal aggression that is unrelated to the test. It can affect user connectivity and resource access. It can disrupt the normal business environment. It can weaken the network’s security level. Quick Answer: 183 Detailed Answer: 220
Black box White box Gray box Green box
7. In which of the following types of testing would a developer test if programming constructs are placed correctly and carry out the required actions?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 220
They are contradictory.
6. Which of the following is conducted with the assessor having no information or knowledge about the inner workings of the system or knowledge of the source code?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 183
They are inversely related.
5. Which of the following is the main security risk of penetration testing?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 220
It is a safe practice.
4. Which of the following is true about the relationship between vulnerability assessment and penetration testing?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 183
Black box White box Gray box Green box
Quick Answer: 183 Detailed Answer: 220
Domain 3.0: Threats and Vulnerabilities
179
✓
Quick Check
8. An organization wants to select an assessment tool that will create graphical details suitable for reporting on network configurations. Which of the following should the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 221
Port scanner Network mapper Protocol analyzer Vulnerability scanner
9. An organization wants to select an assessment tool that will directly test user logon password strength. Which of the following should the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 183
Quick Answer: 183 Detailed Answer: 221
Password Locker Password generator Password cracker Password keychain
10. Which of the following best describes the difference between a port scanner and a vulnerability scanner?
❍
A. Port scanners test only for the availability of services; vulnerability scanners check for a particular version or patch level of a service.
❍
B. Port scanners compile a listing of all hardware present within a network segment; vulnerability scanners check for the availability of services.
❍
C. Vulnerability scanners test only for the availability of services; port scanners check for a particular version or patch level of a service.
❍ D. Vulnerability scanners compile a listing of all hardware present within a network segment; port scanners test for the availability of services.
Quick Answer: 183 Detailed Answer: 221
180
Chapter 3
Quick-Check Answer Key Objective 3.1: Analyze and differentiate among types of malware. 1. A
15. B
29. D
2. C
16. A
30. C
3. A
17. B
31. B
4. B
18. A
32. A, B, C
5. C
19. A, B, D
33. A, C
6. B
20. A, C
34. B, C, D
7. A
21. C
35. D
8. C
22. D
36. A
9. A, B, C
23. B
37. B
10. A
24. A
38. A
11. D
25. B
39. C
12. C
26. C
40. A, C, D
13. A
27. B
14. D
28. A, C, D
Objective 3.2: Analyze and differentiate among types of attacks. 1. C
11. A
21. A, C, D
2. A, B
12. B
22. A, D
3. C
13. D
23. C
4. A
14. C
24. D
5. B
15. B
25. B
6. D
16. D
26. C
7. D
17. B, C, D
27. C
8. B
18. B
28. A
9. C
19. C, D
29. D
20. A, B
30. B
10. A, B, D
Domain 3.0: Threats and Vulnerabilities
31. D
36. D
41. D
32. C
37. B, C
42. C
33. C
38. D
43. B
34. A
39. A
44. D
35. A
40. B
45. B
181
Objective 3.3: Analyze and differentiate among types of social engineering attacks. 1. B
5. D
8. A
2. C
6. D
9. C
3. B
7. B
10. D
4. A
Objective 3.4: Analyze and differentiate among types of wireless attacks. 1. B
8. C
15. B
2. D
9. B
16. C
3. C
10. C
17. A
4. A, B, C
11. A
18. B
5. C
12. D
19. D
6. D
13. B
20. A
7. A
14. A
Objective 3.5: Analyze and differentiate among types of application attacks. 1. A, D
7. B
13. B
2. C
8. D
14. B, C
3. B
9. A
15. A, D
4. B, C
10. D
16. B, C
5. A
11. B
17. A
6. C
12. A
18. A, B, C
182
Chapter 3
19. A, C
22. A
24. A, C
20. D
23. B
25. C
21. B
Objective 3.6: Analyze and differentiate among types of mitigation and deterrent techniques. 1. B
15. D
28. C
2. C
16. B, C
29. A, B
3. B, C
17. C
30. B, C
4. A
18. D
31. D
5. C
19. C
32. C
6. D
20. A, B, D
33. B
7. A
21. D
34. D
8. A, B, D
22. D
35. B
9. A
23. B, C
36. B
10. B
24. B
37. A
11. A, B, D
25. C
38. C
12. D
26. A, C, D
39. D
13. C
27. B
40. C
14. A
Objective 3.7: Implement assessment tools and techniques to discover security threats and vulnerabilities. 1. A
6. A
11. D
2. D
7. A
12. A
3. C
8. C
13. D
4. B
9. D
14. B
5. D
10. B
15. C
Domain 3.0: Threats and Vulnerabilities
183
Objective 3.8: Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning. 1. B
5. A
8. B
2. A, C
6. A
9. C
3. B, C
7. B
10. A
4. D
184
Chapter 3
Answers and Explanations Objective 3.1: Analyze and differentiate among types of malware. 1. Answer: A. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Answer B is incorrect because programs disguised as useful applications are Trojans. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code is hidden inside the application that can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software (such as a game) and a user’s willingness to download and install the software. Answer C is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. 2. Answer: C. A program or piece of code that runs on your computer without your knowledge is a virus. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer A is incorrect. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Answer B is incorrect because programs disguised as useful applications are Trojans. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code is hidden inside the application that can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. 3. Answer: A. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer B is incorrect because it describes IP spoofing. Answer C is incorrect because it describes spyware. Answer D is incorrect because it describes a worm. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating.
Domain 3.0: Threats and Vulnerabilities
185
4. Answer: B. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. Answer A is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer C is incorrect. A bot provides a spam or virus originator with the venue to propagate. Many computers compromised in this way are unprotected home computers (although recently it has become known that many computers in the corporate world are bots, too). A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer D is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. 5. Answer: C. Code Red is an exploit used to spread a worm. This threat affected only web servers running Microsoft’s Internet Information Server. Answers A, B, and D are incorrect; Melissa, Acid Rain, and Mocmex are not worms. Melissa is a virus. Acid Rain and Mocmex are Trojans. 6. Answer: B. A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or a period of time goes by. Answers A and D are incorrect because a specified time element is not involved. Answer C is incorrect because spoofing involves modifying the source address of traffic or the source of information. 7. Answer: A. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights is a rootkit. Answer C is incorrect because a large number of computers that forward transmissions to other computers on the Internet, allowing the originator a venue to propagate, is a botnet. Answer D is incorrect because a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection is adware. It reports data to the company, such as your surfing habits and which sites you have visited. 8. Answer: C. Requesting to be removed from junk email lists often results in more spam because it verifies that you have a legitimate, working email address. Therefore answers A, B, and D are incorrect. 9. Answer: A, B, C. Email spam lists are often created by scanning newsgroup postings, stealing Internet mailing lists, or searching the Web for addresses. Spammers use automated tools to subscribe to as many mailing lists as possible. From those lists, they capture addresses or use the mailing list as a direct target for their attacks. Answer D is incorrect because email spam lists are not created in this manner.
186
Chapter 3
10. Answer: A. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer D is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. 11. Answer: D. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. Answer A is incorrect. Spyware is associated with behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. 12. Answer: C. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect. Spyware is associated with behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer D is incorrect. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. 13. Answer: A. Spyware is associated with behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer D is incorrect. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is
Domain 3.0: Threats and Vulnerabilities
187
built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. 14. Answer: D. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. Answer A is incorrect. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect. Spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Answer C is incorrect because adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. 15. Answer: B. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer A is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. 16. Answer: A. Many spyware-eliminator programs are available. These programs scan your machine, similarly to how antivirus software scans for viruses; just as with antivirus software, you should keep spyware-eliminator programs updated and regularly run scans. Therefore, answer D is incorrect. Answers B and C are incorrect because antispyware programs cannot detect rootkits or botnets. 17. Answer: B. The main issue with botnets is that they are securely hidden. This allows the botnet masters to perform tasks, gather information, and commit crimes while remaining undetected. Answers A, C, and D are concerns, but the main security concern it is they can remain undetected. 18. Answer: A. A logic bomb is also referred to as slag code. It is malicious in intent, and usually planted by a disgruntled employee. Answer B is incorrect. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. 19. Answer: A, B, D. A buffer overflow can result in the overwriting of data or memory storage, a denial of service due to overloading the input buffer’s ability to cope with
188
Chapter 3
the additional data, or the originator can execute arbitrary code, often at a privileged level. Answer C is incorrect because a buffer overflow is targeted toward an individual machine. 20. Answer: A, C. There are several types of viruses, including boot sector, polymorphic, macro, program, stealth, and multipartite. Answers B and D are incorrect because they do not describe types of viruses. 21. Answer: C. A boot sector virus is placed into the first sector of the hard drive so that when the computer boots, the virus loads into memory. Answer A is incorrect because it describes a polymorphic virus. Answer B is incorrect because it describes a stealth virus. Answer D is incorrect because it describes a program virus. 22. Answer: D. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer A is incorrect because a popular method of privilege escalation is a buffer-overflow attack. Answer B is incorrect because most rootkits use global hooks for stealth activity. Answer C is incorrect because a honeynet is used for monitoring large networks. 23. Answer: B. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect because spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Answer D is incorrect. Worms are similar in function and behavior to a virus with the exception that worms are selfreplicating. A worm is built to take advantage of a security hole in an existing application or operating system, find other systems running the same software, and automatically replicate itself to the new host. 24. Answer: A. Most rootkits use global hooks for stealth activity. So, if you use security tools that can prevent programs from installing global hooks and stop process injection, you can prevent rootkit functioning. Answer B is incorrect because adware uses tracking software. Answer C is incorrect because privilege escalation is associated with buffer overflows. Answer D is incorrect because social engineering is taking advantage of human nature. 25. Answer: B. Rootkit functionality requires full administrator rights. Therefore, you can avoid rootkit infection by running Windows from an account with lesser privileges. Answer A is incorrect; it describes an effective way to deal with spam. Answer C is incorrect; it describes an effective way to deal with user account exploitation. Answer D is incorrect because it describes an effective way to deal with spyware. 26. Answer: C. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer A is incorrect because it describes a logic bomb. Answer B is incorrect because it describes Trojans. Answer D is incorrect because it describes a buffer overflow.
Domain 3.0: Threats and Vulnerabilities
189
27. Answer: B. Privilege escalation takes advantage of a program’s flawed code, which then crashes the system and leaves it in a state where arbitrary code can be executed or an intruder can function as an administrator. Answer A is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer C is incorrect; spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Answer D is incorrect; Trojans are programs disguised as useful applications. 28. Answer: A, C, D. Currently, the most effective way to prevent an attacker from exploiting software is to keep the manufacturer’s latest patches and service packs applied and to monitor the Web for newly discovered vulnerabilities. Answer B is incorrect because it not feasible to disconnect the network from the Internet. 29. Answer: D. A multipartite virus is a hybrid of boot and program viruses. It first attacks a boot sector and then attacks system files or vice versa. Answer A is incorrect because a polymorphic virus can change each time it is executed. It was developed to avoid detection by antivirus software. Answer B is incorrect because a macro virus is inserted into a Microsoft Office document and emailed to unsuspecting users. Answer C is incorrect because a stealth virus uses techniques to avoid detection, such as temporarily removing itself from an infected file or masking a file’s size. 30. Answer: C. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system, find other systems running the same software, and automatically replicate itself to the new host. Answer A is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer B is incorrect because a Trojan appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer D is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. 31. Answer: B. Trojans are programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer A is incorrect because Trojans can perform actions without the user’s knowledge or consent, such as collecting and sending data or causing the computer to malfunction. Answers C and D are incorrect; a virus is a program or piece of code that runs on your computer without your knowledge. It is designed to attach itself to other code and replicate. 32. Answer: A, B, C. Indications that a computer may contain spyware include the following: the system is slow, (especially when browsing the Internet), it takes a long time for the Windows desktop to come up, clicking a link does nothing or goes to an unexpected website, the browser home page changes (and you might not be able to reset it), and web pages are automatically added to your favorites list. Answer D is incorrect because it describes spam.
190
Chapter 3
33. Answer: A, C. When dealing with spam, the user should delete the email without opening it and turn off the preview function of the mail software. Answer B is incorrect because this is an inappropriate action. There are specific laws that deal with spamming, and trying to conduct your own investigation can be dangerous. Answer D is incorrect because local law enforcement does not investigate a single spam incident. 34. Answer: B, C, D. Rootkits can be included as part of a software package and can be installed by way of an unpatched vulnerability or by the user downloading and installing it. Answer A is incorrect because accessing documents on the local intranet should not result in a rootkit installation. 35. Answer: D. Rootkits have also been known to use encryption to protect outbound communications and piggyback on commonly used ports to communicate without interrupting other applications that use that port. Answer A is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer B is incorrect. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. 36. Answer: A. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer B is incorrect. A botnet is a large number of computers that forward transmissions to other computers. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer, mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. 37. Answer: B. A Trojan appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect because a worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. Answer D is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. 38. Answer: A. A polymorphic virus can change each time it is executed. It was developed to avoid detection by antivirus software. Answer B is incorrect because a macro virus is inserted into a Microsoft Office document and emailed to unsuspecting users. Answer C is incorrect because a stealth virus uses techniques to avoid detection, such as temporarily removing itself from an infected file or masking a file’s size. Answer D is incorrect because a multipartite virus is a hybrid of boot and program viruses. It first attacks a boot sector and then attacks system files, or vice versa.
Domain 3.0: Threats and Vulnerabilities
191
39. Answer: C. A bot, short for robot, is an automated computer program that needs no user interaction. Bots are systems that outside sources can control. A bot provides a spam or virus originator with the venue to propagate. Answer A is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer B is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. 40. Answer: A, C, D. You can take steps to protect your network from malicious code, such as not using any type of removable media from another user without first scanning for malware, performing backups on a daily basis, installing firewalls or intrusion-prevention systems on client machines, and subscribing to newsgroups and checking antivirus websites regularly. Answer B is incorrect. Opening all attachments will mostly likely infect a machine.
Objective 3.2: Analyze and differentiate among types of attacks. 1. Answer: C. Telnet uses port 23. Answer A is incorrect because port 110 is used for POP3 incoming mail. Answer B is incorrect because port 21 is used for FTP. Port 443 is used by HTTPS; therefore, answer D is incorrect. 2. Answer: A, B. UDP ports 161 and 162 are used by SNMP. Answer C is incorrect because port 443 is used by HTTPS. Answer D is incorrect because port 4445 uses TCP/UDP for service type upnotifyp. 3. Answer: C. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. This can occur due to the TCP three-way handshake. The three-way handshake is the method used to establish and tear down network connections. Answer A is incorrect because it describes spoofing. Spoofing is a method of providing false identity information to gain unauthorized access. Answer B is incorrect because it describes a null session. A null session is a connection without specifying a username or password. Answer D is incorrect because it describes DNS poisoning. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose. 4. Answer: A. Spoofing is a method of providing false identity information to gain unauthorized access. Answer B is incorrect because it describes a null session. A null session is a connection without specifying a username or password. Answer C is incorrect because it describes TCP/IP hijacking. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. Answer D is incorrect because it describes DNS poisoning. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose.
192
Chapter 3
5. Answer: B. A null session is a connection without specifying a username or password. Answer A is incorrect because it describes spoofing. Spoofing is a method of providing false identity information to gain unauthorized access. Answer C is incorrect because it describes TCP/IP hijacking. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. Answer D is incorrect because it describes DNS poisoning. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose. 6. Answer: D. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain. Query results that are forged and returned to the requesting client or recursive DNS query can poison the DNS records, thus permitting attackers to send legitimate traffic anywhere they choose. Answer A is incorrect because it describes spoofing. Spoofing is a method of providing false identity information to gain unauthorized access. Answer B is incorrect because it describes a null session. A null session is a connection without specifying a username or password. Answer C is incorrect because it describes TCP/IP hijacking. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. 7. Answer: D. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. Answer A is incorrect; it describes DNS kiting. DNS kiting refers to the practice of taking advantage of the add/grace period (AGP) to monopolize domain names without ever paying for them. Answer B is incorrect; it describes a replay attack. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer C is incorrect; it describes a denial-of-service attack. The purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to. 8. Answer: B. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer A is incorrect; it describes DNS kiting. DNS kiting refers to the practice of taking advantage of the AGP to monopolize domain names without ever paying for them. Answer C is incorrect; it describes a denial-of-service attack. The purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to. Answer D is incorrect; it describes a man-in-the-middle attack. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. 9. Answer: C. The purpose of a distributed denial of service (DDoS) attack is to disrupt the resources or services that a user would expect to have access to. Answer A is incorrect; it describes DNS kiting. DNS kiting refers to the practice of taking advantage of the AGP to monopolize domain names without ever paying for them. Answer B is incorrect; it describes a replay attack. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer D is incorrect; it describes a man-in-the-middle attack. The manin-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. 10. Answer: A, B, D. To help protect your network, you can set up filters on external routers to drop packets involved in these types of attacks. You should also set up
Domain 3.0: Threats and Vulnerabilities
193
another filter that denies traffic originating from the Internet that shows an internal network address. If the operating system allows it, reduce the amount of time before the reset of an unfinished TCP connection. Doing so makes it harder to keep resources unavailable for extended periods of time. Answer C is incorrect; increasing the amount of time before the reset of an unfinished TCP connection makes the resources unavailable for a longer period of time. 11. Answer: A. Because ARP does not require any type of validation, as ARP requests are sent, the requesting devices believe that the incoming ARP replies are from the correct devices. This can allow a perpetrator to trick a device into thinking any IP is related to any MAC address. Answer B is incorrect because it describes DNS poisoning. Answer C is incorrect. A Teardrop attack sends fragmented UDP packets. Answer D is incorrect. In a DDoS attack, the attackers distribute zombie software that allows the attacker partial or full control of the infected computer system. 12. Answer: B. A null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because ARP poisoning allows a perpetrator to trick a device into thinking that an incorrect IP address is related to a MAC address. The implementation of the ARP protocol is simple. The receipt of an ARP reply at any time causes the receiving computer to add the newly received information to its ARP cache without any type of verification. Answer D is incorrect because domain kiting refers to the practice of taking advantage of this AGP period to monopolize domain names without ever paying for them. 13. Answer: D. A denial-of-service (DoS) attack that attempts to block service or reduce activity on a host by sending ping requests directly to the victim using ICMP is called a ping flood. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because a man-inthe middle attack is commonly used to gather information in transit between two hosts. Answer B is incorrect because the purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to. 14. Answer: C. A man-in-the-middle attack is commonly used to gather information in transit between two hosts. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. ARP poisoning allows a perpetrator to trick a device into thinking any IP is related to any MAC address; therefore, Answer B is incorrect. Because the purpose of a DoS attack is to deny use of resources or services to legitimate users, answer D is incorrect. 15. Answer: B. A null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer A is incorrect because the session is not abnormally terminated. Although answer C may be a concern, it is not the primary issue. Answer D is incorrect because null sessions are direct connections and are not remote controlled. 16. Answer: D. The most effective way to reduce null session vulnerability is by disabling NetBIOS over TCP/IP. Editing the Registry to restrict anonymous access is another method used to control null session access. After you have done this, verify that ports 139 and 445 are closed. Answer A is incorrect; reducing the amount of time before the
194
Chapter 3
reset of an unfinished TCP connection deals with DoS attacks. Answers B and C are incorrect; using the signing capabilities of certificates and denying traffic originating from the Internet that shows an internal network address are protective measures against spoofing. 17. Answer: B, C, D. To mitigate the effects of spoofing, you should set up a filter that denies traffic originating from the Internet that shows an internal network address. Using the signing capabilities of certificates on servers and clients allows web and email services to be more secure. The use of IPsec can secure transmissions between critical servers and clients. Answer A is incorrect because editing the Registry to restrict anonymous access is a method used to control null session access. 18. Answer: B. Forcing a user to reauthenticate before allowing transactions to occur could help prevent this type of attack. Protection mechanisms include the use of unique initial sequence numbers (ISNs) and web session cookies. Answer A is incorrect because to mitigate the effects of spoofing, you should set up a filter that denies traffic originating from the Internet that shows an internal network address. Answers C and D are incorrect; to mitigate the vulnerability of DDoS attacks, reduce the amount of time before the reset of an unfinished TCP connection and set up filters on external routers. 19. Answer: C, D. The most effective way to reduce null session vulnerability is by disabling NetBIOS over TCP/IP. After you have done this, verify that ports 139 and 445 are closed. Answers A and B are incorrect; Simple Network Management Protocol (SNMP) is often overlooked when checking for vulnerabilities because it uses User Datagram Protocol (UDP) ports 161 and 162. 20. Answer: A, B. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. This attack is common in Telnet and wireless technologies. Answer C is incorrect because email is susceptible to spoofing not hijacking. Answer D is incorrect. Samba provides file and print services to SMB/CIFS clients for Linuxbased operating systems. 21. Answer: A, C, D. To minimize the effects of DNS poisoning, check the DNS setup if you are hosting your own DNS. Be sure the DNS server is not open-recursive. An open-recursive DNS server responds to any lookup request, without checking where it originates. Disable recursive access for other networks to resolve names that are not in your zone files. You can also use different servers for authoritative and recursive lookups and require that caches discard information except from the .com servers and the root servers. Answer B is incorrect because it describes an effective way to deal with rootkits. 22. Answer: A, D. ARP poisoning is limited to attacks that are locally based, so an intruder needs either physical access to your network or control of a device on your local network. To mitigate ARP poisoning on a small network, you can use static or scriptbased mapping for IP addresses and ARP tables. For large networks, use equipment that offers port security. Answers B and C are incorrect; they are solutions for small networks, not large networks.
Domain 3.0: Threats and Vulnerabilities
195
23. Answer: C. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter would be if User A could read User B’s email without specific authorization. Answer A is incorrect because it describes default accounts. Answer B is incorrect because data transmitted over a wireless network using 802.1x that can be easily “sniffed” is referred to as data emanations. Answer D is incorrect because a back door is an application code function, created intentionally or unintentionally, which allows unauthorized access to networked resources. 24. Answer: D. A back door is an application code function, created intentionally or unintentionally, which allows unauthorized access to networked resources. Answer A is incorrect because it describes default accounts. Answer B is incorrect because data transmitted over a wireless network using 802.1x that can be easily “sniffed” is referred to as data emanations. Answer C is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter would be if User A could read User B’s email without specific authorization. 25. Answer: B. Unlike resources located on the local system, network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. By blocking access to a website or network resource, the attacker effectively prevents authorized availability. Answer A is incorrect because a DoS focuses on network resources, not local resources. Answer C is incorrect; viruses and worms ranked the highest for sheer number of attacks against network storage. Answer D is incorrect; DoS attacks are launched against servers in the DMZ, not the internal network, unless there is not a DMZ in place. However, corporate networks usually have some type of segmentation keeping the internal network and DMZ separated, making this answer choice incorrect. 26. Answer: C. Unlike resources located on the local system, network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. By blocking access to a website or network resource, the attacker effectively prevents authorized availability. Answer A is incorrect because privilege escalation is the intentional access to resources not intended for access by the user. Answer B is incorrect; a back door is an application code function, created intentionally or unintentionally, which allows unauthorized access to networked resources. Answer D is incorrect; attempting to directly access the resources through unauthorized means would fall along the lines of a spoofing attack. 27. Answer: C. Many networking devices and services are initially installed with a default set of user credentials, such as Oracle’s Scott/Tiger and IBM’s qsecofr/qsecofr. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack because they are known to potential attackers. Answer A is incorrect because replacing them on an as-needed basis is not proper
196
Chapter 3
policy. Answer B is incorrect; replacing them when an attack has been detected is reactive instead of proactive. Answer D is incorrect because using the same logon credential for all devices and services leaves them all vulnerable should the password be compromised. 28. Answer: A. Back doors are application code functions created intentionally or unintentionally that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Other back doors may be inserted by the application designers purposefully, presenting later threats to the network if applications are never reviewed by another application designer before deployment. Answer B is incorrect because back doors are associated with code development, not system certification. Answer C is incorrect because during user interface testing, the users do not have access to the code and cannot create back doors. Answer D is incorrect because the code has already been developed and tested during the implementation phase. At this point, there is not access to the code itself. 29. Answer: D. To optimize network layout within each unique location, a site survey is necessary before implementing any WLAN solution. This is particularly important in distributed wireless network configurations spanning multiple buildings or open natural areas, where imposing structures and tree growth may affect network access in key areas. Answers A, B, and C are incorrect. Land surveys, building inspections, and OSHA inspections are agency-related functions and cannot be conducted by the organization. 30. Answer: B. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer A is incorrect because it describes the vulnerability of a broadcast packet sniffer readily identifying a WAP. Answer C is incorrect. Back doors represent application code functions, created intentionally or unintentionally, which allow unauthorized access to networked resources. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. 31. Answer: D. Automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. Answer A is incorrect because it describes the vulnerability of a broadcast packet sniffer readily identifying a WAP. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer C is incorrect. Back doors represent application code functions, created intentionally or unintentionally, which allow unauthorized access to networked resources.
Domain 3.0: Threats and Vulnerabilities
197
32. Answer: C. Back doors represent application code functions, created intentionally or unintentionally, which allow unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Answer A is incorrect because it describes the vulnerability of a broadcast packet sniffer readily identifying a WAP. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer D is incorrect because automated and socialengineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. 33. Answer: C. Many networking devices and services are initially installed with a default set of user credentials, such as Oracle’s Scott/Tiger and IBM’s qsecofr/qsecofr. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer A is incorrect. Network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. 34. Answer: A. Network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer C is incorrect. Many networking devices and services are initially installed with a default set of user credentials. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. 35. Answer: A. Privilege escalation represents the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access
198
Chapter 3
features of an application reserved for other users. An example of the latter is if User A can read User B’s email without specific authorization. Answer B is incorrect. Many networking devices and services are initially installed with a default set of user credentials. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer C is incorrect. Any resource exposed on a network may be attacked to gain unauthorized access. The most common form of authentication and user access control is the username/ password combination, which can be significantly weakened as a security measure if a “weak” password is selected. Answer D is incorrect. Back doors are application code functions, created intentionally or unintentionally, that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. 36. Answer: D. Back doors are application code functions, created intentionally or unintentionally, that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Answer A is incorrect. Privilege escalation represents the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter is if User A can read User B’s email without specific authorization. Answer B is incorrect. Many networking devices and services are initially installed with a default set of user credentials. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer C is incorrect. Any resource exposed on a network may be attacked to gain unauthorized access. The most common form of authentication and user access control is the username/ password combination, which can be significantly weakened as a security measure if a “weak” password is selected. 37. Answer: B, C. Automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity (complexity here meaning a mixture of character case, numbers, and symbols), derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. Answer A is incorrect because it is an attack associated with WAPs announcing their service set identifier (SSID). Answer D is incorrect because DoS attacks are often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website. 38. Answer: D. DoS attacks are often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website. Many fringe service industries, such as online casinos, are regularly targeted with this type of attack. Answer A is incorrect because it is an attack associated with WAPs announcing their service set identifier (SSID). Answers B and C are incorrect; automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity
Domain 3.0: Threats and Vulnerabilities
199
(complexity here meaning a mixture of character case, numbers, and symbols), derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. 39. Answer: A. Spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer B is incorrect because Vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer D is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning. 40. Answer: B. Vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer D is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning. 41. Answer: D. Pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer B is incorrect because vishing is voice phishing, the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. 42. Answer: C. Smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer B is incorrect because vishing is voice phishing, the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer D is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning. 43. Answer: B. Messaging spam, sometimes called SPIM, is a type of spam targeting users of instant messaging (IM) services. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer C is incorrect because spam targets email. Answer D is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning.
200
Chapter 3
44. Answer: D. When used as part of scanning a system, the TCP header of Christmas tree packets has the flags SYN, FIN, URG and PSH set. By observing how a host responds to an odd packet, such as a Christmas tree packet, assumptions can be made regarding the host’s operating system. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer B is incorrect because a null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer C is incorrect because ARP poisoning allows a perpetrator to trick a device into thinking that an incorrect IP address is related to a MAC address. The implementation of the ARP protocol is simple. The receipt of an ARP reply at any time causes the receiving computer to add the newly received information to its ARP cache without any type of verification. 45. Answer: B. Transitive access can be achieved by gaining the trust of a computer that is trusted by the target network allowing the bypass of security measures. Answer A is incorrect because packet sniffing targets packets not hosts. Answer C is incorrect; Social-engineering attacks target humans, not computers. Answer D is incorrect. DoS attacks are often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website.
Objective 3.3: Analyze and differentiate among types of social engineering attacks. 1. Answer: B. Social engineering is a process by which an attacker may extract useful information from users who are often just tricked into helping the attacker. Answer A is incorrect because pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus, website. Answer C is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually email. Answer D is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. 2. Answer: C. Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually email. Answer A is incorrect because pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus, website. Answer B is incorrect. Social engineering is a process by which an attacker may extract useful information from users who are often just tricked into helping the attacker. Answer D is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder. 3. Answer: B. Hoax messages may warn of emerging threats that do not exist. They might instruct users to delete certain files to ensure their security against a new virus, while actually only rendering the system more susceptible to later viral agents. Answer A is incorrect because pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus, website. Answer C is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic
Domain 3.0: Threats and Vulnerabilities
201
communication, usually email. Answer D is incorrect because spam is unwanted email communication. 4. Answer: A. Although hoaxes present issues such as loss of functionality or security vulnerabilities, they also use system resources and consume users’ time. This results in lost productivity and an undue burden on the organization’s resources, especially if many employees respond. Answer B is incorrect; although virus may be a concern, the idea behind a chain letter is to occupy time and resources. Answer C is incorrect because hoaxes try to occupy time and resources, not garner proprietary information. Answer D is incorrect because this statement is simply not true. 5. Answer: D. Shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Shoulder surfing is an effective way to get information in crowded places such as airports, conventions, or coffee shops because it’s relatively easy to stand next to someone and watch as the person enters a PIN or a password. Answer A is incorrect; virus infection is a concern. However, the real danger is the organizational information that is readily accessible. Answer B is incorrect because social engineering is a process by which an attacker may extract useful information from users who are often tricked into helping the attacker. Answer C is incorrect because dumpster diving is scavenging through discarded equipment and documents and extracting sensitive information from it without ever contacting anyone in the company. 6. Answer: D. Whaling is identical to spear phishing except for the “size of the fish.” Whaling employs spear phishing tactics, but is intended to go after high-profile targets such as an executive within a company. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer B is incorrect because vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. 7. Answer: B. Vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer D is incorrect because whaling is identical to spear phishing except for the “size of the fish.” Whaling employs spear phishing tactics, but is intended to go after high-profile targets such as an executive within a company. 8. Answer: A. Spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual or groups of individuals. Answer B is incorrect because vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer D is incorrect. Whaling is identical to spear phishing except for the
202
Chapter 3
“size of the fish.” Whaling employs spear phishing tactics, but is intended to go after high-profile targets such as an executive within a company. 9. Answer: C. Dumpster diving is scavenging through discarded equipment and documents and extracting sensitive information from it without ever contacting anyone in the company. Answer A is incorrect; virus infection is a technical concern, not a human concern. Answer B is incorrect because social engineering is a process by which an attacker may extract useful information from users who are often tricked into helping the attacker. Answer D is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Shoulder surfing is an effective way to get information in crowded places such as airports, conventions, or coffee shops because it’s relatively easy to stand next to someone and watch as the person enters a PIN or a password. 10. Answer: D. Tailgating refers to the act of tagging along with another person who is authorized in order to gain entry into a restricted area. Answer A is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning. Answer B is incorrect because dumpster diving is scavenging through discarded equipment and documents and extracting sensitive information from it without ever contacting anyone in the company. Answer C is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Shoulder surfing is an effective way to get information in crowded places such as airports, conventions, or coffee shops because it’s relatively easy to stand next to someone and watch as the person enters a PIN or a password.
Objective 3.4: Analyze and differentiate among types of wireless attacks. 1. Answer: B. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available Wireless Access Points (WAPs). Turning off this broadcast can reduce the vulnerability of a wireless packet sniffer detecting broadcasts that readily identify a WAP. In this particular instance, the WAP is not secure because the SSID is broadcast in plain text whenever a client connects to the network. Answer A is incorrect because WAPs by default do not have encryption enabled. Answer C is incorrect because if physical access is limited, the risk is mitigated. Answer D is incorrect because it describes the characteristics of a hub. 2. Answer: D. 802.1x transmissions generate detectable radio-frequency signals in all directions. Persons who want to “sniff” the data transmitted over the network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides. Answer A is incorrect because the radio-frequency signals are generated in all directions, not in one direction. Answers B and C are incorrect because data emanation is what allows for the sniffing of the data, not why data emanation is a risk.
Domain 3.0: Threats and Vulnerabilities
203
3. Answer: C. Without the use of a mandated encryption standard, data transmitted over an 802.1x wireless link may be passed in clear form. Forms of encryption may be implemented, such as Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) and Temporal Key Integrity Protocol (TKIP). Answers A, B, and D are incorrect because authorization, authentication, and identification are access control methods, not methods to mitigate data transmissions. 4. Answer: A, B, C. Wireless communications are susceptible to data emanation, weak encryption, session hijacking, man-in-the-middle attacks, and war-driving. Answer D is incorrect because spam relaying is associated with open SMTP relays in email servers. 5. Answer: C. Because the authentication mechanism is one-way, it is easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point, while at the same time beginning to transmit data traffic pretending to be from the original client. Answers A and D are incorrect. Both of these answers deal with authorization, and session hijacking deals with authentication. Answer B is incorrect because it is not true that an authentication mechanism is not there. It exists and is one-way. 6. Answer: D. The request for connection by the client is an omnidirectional open broadcast. It is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. Answer A is incorrect because a request for connection by the client is an omnidirectional open broadcast. Answers B and C are incorrect; the connection request is made by the client, not the access point. 7. Answer: A. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer B is incorrect because it describes war-dialing. Answer C is incorrect because it describes war-chalking. Answer D is incorrect because it describes a hotspot. 8. Answer: C. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details. Answer A is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer B is incorrect because it describes war-dialing. Answer D is incorrect because it describes a hotspot. 9. Answer: B. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer A is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer C is incorrect because it describes bluesnarfing. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details.
204
Chapter 3
10. Answer: C. Although typically benign, attackers use bluejacking to generate messages that appear to be from the device itself. This leads users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is an attack referred to as bluesnarfing. Answer B is incorrect. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer A is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Warchalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details. 11. Answer: A. The 802.11 (Wi-Fi) standard uses the CSMA/CA connectivity methods commonly found in Ethernet connectivity. Answers B and D are incorrect because both i-Mode and WAP are standards used by mobile devices such as cell phones, pagers, and PDAs and are not used to specify WLAN standards. Answer C is incorrect because Bluetooth is based on a different transmission protocol. 12. Answer: D. Data emanation happens because 802.1x transmissions generate detectable radio-frequency signals in all directions. Persons wanting to sniff the data transmitted over the network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures. Answer A is incorrect because without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form, and attackers can take advantage of this weak or nonexistent encryption. Answer B is incorrect because the wireless authentication mechanism is one-way, allowing session hijacking. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as wardriving. 13. Answer: B. Because the authentication mechanism is one-way, it is easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point, while at the same time beginning to transact data traffic pretending to be the original client. Answer A is incorrect because without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form, and attackers can take advantage of this weak or nonexistent encryption. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
Domain 3.0: Threats and Vulnerabilities
205
14. Answer: A. Without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form, and attackers can take advantage of this weak or nonexistent encryption. Answer B is incorrect because the wireless authentication mechanism is one-way, allowing session hijacking. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures. 15. Answer: B. Although typically benign, attackers can use bluejacking to generate messages that appear to be from the device itself, leading users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is a more aggressive attack referred to as bluesnarfing. Answer A is incorrect. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer C is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details. 16. Answer: C. War-driving is aimed at identification of existing wireless networks, the service set identifier (SSID) used to identify the wireless network, and any known WEP keys. Answer A is incorrect because without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form and attackers can take advantage of this weak or nonexistent encryption. Answer B is incorrect because the wireless authentication mechanism is one way, allowing session hijacking. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures. 17. Answer: A. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer B is incorrect. Although typically benign, attackers can use bluejacking to generate messages that appear to be from the device itself, leading users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is a more aggressive attack referred to as bluesnarfing. Answer C is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x
206
Chapter 3
access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details. 18. Answer: B. Because the request for connection by the client is an omnidirectional open broadcast, it is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. By implementing a rogue AP with stronger signal strength than more remote permanent installations, the attacker can cause a wireless client to preferentially connect to their own stronger nearby connection using the wireless device’s standard roaming handoff mechanism. Answer A is incorrect. Without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form and attackers can take advantage of this weak or nonexistent encryption. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures. 19. Answer: D. The Wi-Fi Protected Access (WPA and later WPA2) standards were developed by the Wi-Fi Alliance to replace the WEP protocol while the 802.11i standard was being developed. The WPA includes many of the functions of the 802.11i protocol but relies on the Rivest Cipher 4 (RC4), which is considered vulnerable to keystream attacks. The later WPA2 standard was certified to include the full 802.11i standard after its final approval. Answers A and C are incorrect because they are encryptions standards not associated with the Wi-Fi Alliance. Answer B is incorrect because a WAP refers to both handheld devices as well as wireless access points. 20. Answer: A. Wireless Session Layer (WSL) is equivalent to the session layer of the Open Systems Interconnection (OSI) model. Based on this information, answers B, C, and D are incorrect.
Objective 3.5: Analyze and differentiate among types of application attacks. 1. Answer: A, D. Some identified vulnerabilities of the Java language include buffer overflows, ability to execute instructions, resource monopolization, and unexpected redirection. Answers B and C are incorrect because unauthorized file upload and email exposure are associated with JavaScript, not the Java language. 2. Answer: C. Java applets execute when the client machine’s browser loads the hosting web page. Vulnerabilities are based on the Java language. JavaScript vulnerabilities must be addressed based on the operating system and browser version in use on each
Domain 3.0: Threats and Vulnerabilities
207
client. Answers A and B are incorrect because JavaScript vulnerabilities must be addressed based on the operating system and browser version in use on each client, not the server. Answer D is incorrect because the operating system does not load the hosting web page—an application and browser do. 3. Answer: B. Java is a precompiled language. Before it can be executed, it undergoes a Just In Time (JIT) compilation into the necessary binary bytes. A Java-based miniprogram, called an applet, may present many security risks to the client. Applets execute when the client machine’s browser loads the hosting web page. Answers A and C are incorrect because Java is a precompiled language. Answer D is incorrect because applets execute when the client machine’s browser loads the hosting web page. 4. Answer: B, C. JavaScript is a client-side interpreted language that mainly poses privacy-related vulnerability issues such as unauthorized file upload and email exposure. Answers A and D are incorrect because they are associated with the Java language. Some identified vulnerabilities of the Java language include buffer overflows, ability to execute instructions, resource monopolization, and unexpected redirection. 5. Answer: A. To avoid vulnerabilities exposed by earlier forms of Java and ActiveX development, all machines should be kept up-to-date with new version releases. Scripting language vulnerabilities may be addressed in this manner, as well as by turning off or increasing the client’s browser security settings to prevent automatic code execution. Answer B is incorrect because this setting controls third-party tool bands and browser helper objects. Answer C is incorrect because increasing the pop-up setting will not mitigate Java vulnerabilities. Answer D is incorrect because Integrated Windows Authentication has to do with logon information, not Java vulnerabilities. 6. Answer: C. Microsoft developed a precompiled application technology that can be embedded in a web page in the same way as Java applets. This technology is referred to as ActiveX, and its controls share many of the same vulnerabilities present in embedded Java applets. Answer A is incorrect because cookies are temporary files stored in the client’s browser cache to maintain settings across multiple pages, servers, or sites. Answer B is incorrect because JavaScript is a smaller language that does not create applets or standalone applications. Answer D is incorrect because CGI (Common Gateway Interface) scripts are programs that run on the server to service client requests. 7. Answer: B. Clients should regularly clear their browser cookie cache to avoid exposing long-term browsing habits in this way. Where possible, client browsers may also be configured to block third-party cookies, although many online commerce sites require this functionality for their operation. Answer A is incorrect because this setting controls third-party tool bands and browser helper objects. Answer C is incorrect because blocking all cookies would hamper the functionality for many online commerce sites. Answer D is incorrect because disabling automatic code execution on client browsers has more to do with Java applets and ActiveX controls. 8. Answer: D. By restricting the data that can be input and using proper input validation, application designers can reduce the threat posed by maliciously crafted URL references and redirected web content. Answer A is incorrect because third-party cookies would limit exposing long-term browsing habits. Answer B is incorrect because accepting only numeric data input is not feasible, and if it is not validated, it will not
208
Chapter 3
mitigate attacks. Answer C is incorrect because this setting controls third-party tool bands and browser helper objects. 9. Answer: A. Whereas cookies generally provide benefits to the end users, spyware would be most likely to use a tracking cookie. A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a website. Answers B and D are incorrect because these sites would use session cookies, not tracking cookies. Answer C is incorrect because a Trojan appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. 10. Answer: D. Spammers search for unprotected SMTP relay services running on public servers, which may then be used to resend SMTP messages to obscure their true source. Answer A is incorrect because buffer overflows are associated with not using proper input validation. Answer B is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer C is incorrect. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. 11. Answer: B. A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a website. Therefore, answer C is incorrect. Answers A and D are incorrect because tracking cookies are beneficial or valuable only to the tracking party, not the user. 12. Answer: A. Secure Hypertext Transport Protocol (S-HTTP) operates over port 80 along with regular HTTP traffic. Answer B is incorrect because HTTPS (HTTP over SSL) and SSL employ X.509 digital certificates and operate over port 443. Answer C is incorrect. Email clients connect to port 110 of a remote email server, and then use the POP3 protocol to retrieve email. Answer D is incorrect. Port 4445 uses TCP/UDP for service type upnotifyp. 13. Answer: B. HTTPS (HTTP over SSL) and SSL employ X.509 digital certificates and operate over port 443. Answer A is incorrect because Secure Hypertext Transport Protocol (S-HTTP) operates over port 80 along with regular HTTP traffic. Answer C is incorrect. Email clients connect to port 110 of a remote email server, and then use the POP3 protocol to retrieve email. Port 4445 uses TCP/UDP for service type upnotifyp; therefore, Answer D is incorrect. 14. Answer: B, C. Malformed certificates may be used to exploit the parsing libraries used by SSL agents. SSL certificates may also be used to establish links vulnerable to packet sniffing by using compromised self-signed or expired certificates. Other exploits include the use of small key sizes, outdated certificate revocation lists, and other mechanisms intended to provide weak or compromised SSL certificates. Answers A and D are incorrect because they are associated with programming errors. Bufferoverflow vulnerabilities may be used to enact arbitrary commands on a server. Format string vulnerabilities may result in unauthorized access to enact commands on a server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the server, preventing it from responding to normal requests.
Domain 3.0: Threats and Vulnerabilities
209
15. Answer: A, D. Buffer-overflow vulnerabilities may be used to enact arbitrary commands on the LDAP server. Format string vulnerabilities may result in unauthorized access to enact commands on the LDAP server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the LDAP server, preventing it from responding to normal requests. Answers B and C are incorrect because they are associated with SSL certificate vulnerabilities. Malformed certificates may be used to exploit the parsing libraries used by SSL agents. SSL certificates may also be used to establish links vulnerable to packet sniffing by using compromised self-signed or expired certificates. Other exploits include the use of small key sizes, outdated certificate revocation lists, and other mechanisms intended to provide weak or compromised SSL certificates. 16. Answer: B, C. FTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. Answers A and D are incorrect because they are associated with programming errors. Bufferoverflow vulnerabilities may be used to enact arbitrary commands on a server. Format string vulnerabilities may result in unauthorized access to enact commands on a server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the server, preventing it from responding to normal requests. 17. Answer: A. FTPS (FTP over SSL) using TCP port 21. Answer B is incorrect because HTTP operates over port 80. Answer C is incorrect. A more secure version of FTP (S/FTP) has been developed, including SSL encapsulation. This is referred to as FTP over SSH using the Secure Shell (SSH) TCP port 22. Answer D is incorrect because port 81 is used as an alternate port for hosting a website. 18. Answer: A, B, C. Attackers develop viral malware capable of spreading through contact lists within IM clients. Others focus on capturing IM traffic and cached logs of past conversations, in an attempt to obtain useful or harmful information. The filetransfer and desktop-sharing capabilities of many clients present challenges against unauthorized data sharing, while creative attackers make use of the audio and video capabilities to directly “tap” unwary IM users. Answer D is incorrect. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against servers, preventing them from responding to normal requests. 19. Answer: A, C. CGI scripts may be exploited to leak information, including details about running server processes and daemons. Samples included in some default installations are not intended for security and include well-known exploits, and buffer overflows may allow arbitrary commands to be executed on the server. Answer B is incorrect because anonymous file access is associated with FTP servers. Answer D is incorrect because CGI scripts do not run on the client system. 20. Answer: D. When a website redirects the client’s browser to attack yet another site, this is referred to as cross-site scripting. Answer A is incorrect because unencrypted authentication is associated with FTP servers. Answer B is incorrect because a session hijack occurs when an attacker causes the client’s browser to establish a secure connection to a compromised web server acting as a proxy or redirecting traffic to a secure target site, exposing traffic as it passes through the compromised system. Answer C is incorrect because a buffer overflow occurs when data input exceeds the
210
Chapter 3
memory space allocated and injects unanticipated data or programmatic code into executable memory. 21. Answer: B. An early exploit of JavaScript allowed access to files located on the client’s system if the name and path were known. Answers A and D are incorrect because JavaScript, not Java, can be used to execute arbitrary instructions on the server, send email as the user, and allow access to cache information. Answer C is incorrect because Java, not JavaScript, can continue running even after the applet has been closed. 22. Answer: A. Exploits may allow the identification of configuration details of the server that may be helpful to later unauthorized access attempts, a process often referred to as profiling. Answer B is incorrect because reporting portrays information collected in a particular area. Answer C is incorrect because abstracting is used to understand and solve problems. Answer D is incorrect because hyperlinking is associated with web pages. 23. Answer: B. The danger to maintaining session information is that sites may access cookies stored in the browser’s cache that may contain details on the user’s e-commerce shopping habits, along with many user details that could possibly include sensitive information identifying the user or allowing access to secured sites. Answers A and C are incorrect because these actions prove helpful for the client. Answer D is incorrect because this action is associated with Java. 24. Answer: A, C. Browser-based vulnerabilities include session hijacking, buffer overflows, cross-site scripting, and add-in vulnerabilities. Answer B is incorrect because SQL injection is associated with SQL database servers. Answer D is incorrect because social engineering is taking advantage of human nature. 25. Answer: C. The common BitTorrent file-sharing application is an example of a resource-sharing peer-to-peer (P2P) solution, allowing users to transport files between remote clients without passing through a central server for access. This presents difficulties for access restriction because any two clients may negotiate connections using random ports and protocols, bypassing traffic analysis and access control restrictions. Answer A is incorrect; it describes a vulnerability exploitation of Java, CGI scripts, and LDAP. Answer B is incorrect; anonymous file upload is associated with FTP servers. Answer D is incorrect because it describes a CGI script exploit.
Objective 3.6: Analyze and differentiate among types of mitigation and deterrent techniques. 1. Answer: B. Unsecured equipment is vulnerable to social-engineering attacks. It is much easier for an attacker to walk into a reception area, say she is here to do some work on the server, and get server access than to get into a physically secured area with a guest sign-in and sign-out sheet. Brute-force attacks, malware, and rootkits can be installed or launched without physical access. Therefore, answers A, C, and D are incorrect.
Domain 3.0: Threats and Vulnerabilities
211
2. Answer: C. The goal of a physical security policy is to allow only trusted use of resources via positive identification that the entity accessing the systems is someone or something that has permission to do so based on the security model the organization has chosen. Answers A, B, and D are incorrect because only allowing officers, only what is deemed to be credible users is discretionary, whereas allowing all visitors will create an unsecure environment. 3. Answer: B, C. In very high-security areas, frosted or painted glass can be used to eliminate direct visual observation of user actions, and very high-security scenarios may mandate the use of electromagnetic shielding to prevent remote monitoring of emissions generated by video monitors, network switching, and system operation. Answers A and D are incorrect; picket and chain-link fencing should not be used in high-security areas. 4. Answer: A. Buildings that house sensitive information and systems usually have an area of cleared land surrounding them. This area is referred to as no-man’s land. The purpose of this area is to eliminate the possibility of an intruder hiding in the bushes or behind another building. Answer B is incorrect because it increases the chances of an intruder hiding. Answer C is incorrect; it describes a mantrap. Answer D is incorrect because it describes a wireless lock entry. 5. Answer: C. A mantrap is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Answer A is incorrect because it describes no-man’s land. The purpose of this area is to eliminate the possibility of an intruder hiding in the bushes or behind another building. Answer B is incorrect because it increases the chances of an intruder hiding. Answer D is incorrect because it describes a wireless lock entry. 6. Answer: D. A cipher lock has a punch code entry system. A wireless lock is opened by a receiver mechanism that reads the card when it is held close to the receiver. Based on this information, answers A, B, and C are incorrect. 7. Answer: A. Video or CCTV cameras should be posted in key locations so that the entire area is covered. Place cameras near entrances and exits to capture each visitor who comes in and out of the parking lot. Place cameras strategically so that every area of the parking lot can be seen by a camera’s field of vision. Answer B is incorrect. If the parking lot covers a large area, security guard coverage may not be enough. Answer C is incorrect because a keycard entry point can easily be compromised. Answer D incorrect because motion detection is not feasible for a parking lot. 8. Answer: A, B, D. External motion detectors can be based on light, sound, infrared, or ultrasonic technology. Answer C is incorrect because radio-frequency identification (RFID) is an automatic identification method. 9. Answer: A. Mandatory physical access controls are commonly found in government facilities and military installations, where users are closely monitored and very restricted. Because they are being monitored by security personnel and devices, users cannot modify entry methods or let others in. Answer B is incorrect. In role-based access methods for physical control, groups of people who have common access needs are predetermined, and access to different locations is allowed with the same key or swipe card. Answer C is incorrect. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. Answer D is incorrect.
212
Chapter 3
Allowing access based on individual needs is both costly and causes extensive administrative overhead. 10. Answer: B. In role-based access methods for physical control, groups of people who have common access needs are predetermined, and access to different locations is allowed with the same key or swipe card. Answer A is incorrect. Mandatory physical access controls are commonly found in government facilities and military installations, where users are closely monitored and very restricted. Because they are being monitored by security personnel and devices, users cannot modify entry methods or let others in. Answer C is incorrect. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. Answer D is incorrect. Allowing access based on individual needs is both costly and causes extensive administrative overhead. 11. Answer: A, B, D. Buildings that house sensitive information and systems usually have an area of cleared land surrounding them. This area is referred to as no-man’s land. A building that houses top-secret info would need also require a mantrap and door access system in addition to a no-man’s land. Answer C is incorrect because a wooden fence provides little protection. 12. Answer: D. Video surveillance such as closed-circuit television (CCTV) is the most common method of surveillance. The picture is viewed or recorded, but not broadcast. It was originally developed as a means of security for banks. Answer A is incorrect because a mantrap is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Answer B is incorrect because security dogs are not a good solution for a bank. Answer C is incorrect because painted glass is used a method of obscuring views. This it is not a sufficient method of security for a bank. 13. Answer: C. Motion detectors can alert security personnel of intruders or suspicious activity on the company’s premises. They can be based on light, sound, infrared, or ultrasonic technology. These devices must be properly configured because they are extremely sensitive and can issue false alarms if set too stringently. Answers A and B are incorrect because they are false statements. Answer D is incorrect; although motion detectors may be a more expensive solution, the question asks for the main security concern. 14. Answer: A. The quickest way to tell which ports are open and which services are running is to do a netstat operation on the machine. Answer B is incorrect; nbtstat is designed to help troubleshoot NetBIOS name resolution problems. Answer C is incorrect; ipconfig is used to troubleshoot IP address configuration. Answer D is incorrect; msconfig is used to configure startup services and on Windows computers. 15. Answer: D. SNMP is used for monitoring the health of network equipment, computer equipment, and devices like uninterruptible power supplies (UPS). Answer A is incorrect because SubNetwork Access Protocol (SNAP) defines how data is formatted for transmission and how access to the network is controlled. Answer B is incorrect because SMTP is used for email. Answer C is incorrect because the Synchronous Data Link Control (SDLC) protocol was developed by IBM to be used as the Layer 2 of the SNA hierarchical network.
Domain 3.0: Threats and Vulnerabilities
213
16. Answer: B, C. The best way to protect the network infrastructure from attacks aimed at antiquated or unused ports and protocols is to remove any unnecessary protocols and create Access Control Lists to allow traffic on necessary ports only. By doing so, you eliminate the possibility of unused and antiquated protocols being exploited, and you minimize the threat of an attack. Answer A is incorrect. It is not always necessary to keep protocols installed by default. Answer D is incorrect. Users should never control what goes in and out of the network. 17. Answer: C. To improve server performance, logs should be stored on a nonsystem striped or striped/mirrored disk volume. Answer A is incorrect. Storing the log files in the DMZ is poor practice because the servers located here are generally more vulnerable. Answers B and D are incorrect; storing the log files on the local machine will not improve performance. 18. Answer: D. Log files should be stored in a centralized repository of an offline volume or on a standalone computer. Answer A is incorrect; storing the log files on the local machine will not improve security. Answer B is incorrect. Storing the log files on the intranet is poor practice as the information is visible and more vulnerable. Answer C is incorrect. Storing the log files in the DMZ is poor practice because the servers located here are generally more vulnerable. 19. Answer: C. When implementing an application logging strategy, look for a solution that uses standard protocols and formats so that analysis is simpler. Therefore, answers A, B, and D are incorrect. 20. Answer: A, B, D. IIS logs may include information about site visitors and their viewing habits. They can be used to assess content, identify bottlenecks, or investigate attacks. Answer C is incorrect. Task Manager is a tool that you can use to end processes. 21. Answer: D. DNS logging may cause performance degradation on the server. It should be used only for troubleshooting purposes. By enabling DNS debug logging, you can log all DNS-related information. Based on this information, answers A, B, and C are incorrect. 22. Answer: D. In UNIX- or Linux-based systems, programs send log entries to the system logging daemon, syslogd. Answer A is incorrect because mtools.conf is a configuration file for all the operations. Answers B and C are incorrect; both Msconfig and Event Viewer are tools used on Windows-based systems. 23. Answer: B, C. You should employ strict access controls on all logging servers. If allowable, encrypt the log files and store log files on a standalone system. Answer A is incorrect; it is not good practice to store log files in plain text. Answer D is incorrect; log files should not be stored on data partitions of individual systems. 24. Answer: B. Task Manager is a tool that you can use to end processes or applications that get hung up or cause the operating system to become unstable, without having to reboot the machine. It also gives you an instant view of CPU and memory usage. Answer A is incorrect because Network Monitor is used to capture network traffic and generate statistics for creating reports. Answer C is incorrect because Event Viewer enables you to view certain events that occur on the system. Event Viewer maintains three log files: one for system processes, one for security information, and one for applications. Answer D is incorrect because Microsoft’s Performance console is used for tracking and viewing the utilization of system resources.
214
Chapter 3
25. Answer: C. Authentication and accounting logging is particularly useful for troubleshooting remote-access policy issues. Answer A is incorrect because Internet Information Services (IIS) logging is designed to be more detailed than the eventlogging or performance-monitoring features of Windows Server operating systems. The IIS logs can include information such as who has visited your site, what they viewed, and when the information was viewed last. Answer B is incorrect because critical and error level logging is one of the eight logging levels available for Cisco logging devices. Answer D is incorrect because authentication and accounting logging information is used to track remote-access usage and authentication attempts. This logging is separate from the events recorded in the system event log. 26. Answer: A, C, D. Antivirus software, just like other software applications, usually contains a folder within the application for logging events such as updates, quarantined viruses, and update history. Answer B is incorrect. Dropped packets are normally found in router logs. 27. Answer: B. Routing and remote access logging information is used to track remoteaccess usage and authentication attempts. This logging is separate from the events recorded in the system event log. Therefore, Answer D is incorrect. Answer A is incorrect; firewall logging will not log remote access and authentication. Answer C is incorrect; IIS logging will not log remote access and authentication. 28. Answer: C. Auditing is the process of tracking users and their actions on the network. Answer A is incorrect because it describes baselining. Answer B is incorrect because it describes logging. Answer D is incorrect because it describes monitoring. 29. Answer: A, B. Without proper planning and policies, you probably will quickly fill your log files and hard drives with useless or unused information. The more quickly you fill up your log files, the more frequently you need to check the logs; otherwise, important security events may get deleted unnoticed. Answer C is incorrect because log files should not be stored on user hard drives. Answer D is incorrect. When auditing is not clear-cut, the workload of the system administrator increases. 30. Answer: B, C. Auditing user privileges is generally a two-step process that involves enabling auditing within the operating system and then specifying the resources to be audited. Answer A is incorrect; auditing, not logging, needs to be enabled. Answer D is incorrect; the log file storage directory is specified, not the audit file directory. 31. Answer: D. Auditing of access use and rights changes should be implemented to prevent unauthorized or unintentional access for a guest or restricted user account access to sensitive or protected resources. Answer A is incorrect; group policy controls access to resources. Answer B is incorrect; retention policies concern data, not user access. Answer C is incorrect; DHCP deals with the issuing of IP addresses not access to accounts. 32. Answer: C. It is equally important to audit both failed and successful events because both may reveal unauthorized access or an unexpected escalation of access rights. Answers A and B are incorrect because it is important to audit both types of events. Answer D is incorrect because auditing is an important part of securing the network.
Domain 3.0: Threats and Vulnerabilities
215
33. Answer: B. Logging is the process of collecting data to be used for monitoring and reviewing purposes. Auditing is the process of verification that normally involves going through log files; therefore, answer A is incorrect. Answer C is incorrect. Baselining is measuring and rating the performance of a network. Typically, the log files are frequently inspected, and inspection is not the process of collecting the data; therefore, answer D is incorrect. 34. Answer: D. Turning on all audit counters for all objects could significantly impact server performance. Answer A is incorrect; auditing is done in the background and does not affect user productivity. Answer B is incorrect; if the I/O activity were affected at all, it would be increased. Answer C is incorrect; as with I/O activity, if there were change, it would be an increase, not a decrease. 35. Answer: B. In Group Policy, the settings that will actually be applied to an object will be a combination of all the settings that can affect the object. Answer A is incorrect because all group policies are applied to the object. Answer C is incorrect; in a universal group, the policies may be applied from different domains. Answer D is incorrect; this would apply only if there was not a domain environment. 36. Answer: B. You can use gpresult to see what policy is in effect and to troubleshoot problems. Answer A is incorrect; you can use gpupdate to refresh policy immediately and to specify certain options at the command line. Answer C is incorrect; the Resultant Set of Policy (RSoP) tool is used to determine the effective settings on the computer that you are working from or any other computer in a Windows Server 2008 Active Directory domain. Answer D is incorrect; the Group Policy object is used to create group policies. 37. Answer: A. You can use the Resultant Set of Policy (RSoP) tool to determine the effective settings on the computer that you are working from or any other computer in a Windows Server 2008 Active Directory domain. Answer B is incorrect; the Group Policy object is used to create group policies. Answer C is incorrect; you can use gpupdate to refresh policy immediately and to specify certain options at the command line. Answer D is incorrect; the local security settings are used on the local machine only. 38. Answer: C. Auditing success events in the account management event category can be used to verify changes that were made to account properties and group properties. Answer A is incorrect. Auditing success events in the policy change event category will record success and failure events in the system events. Answer B is incorrect. Auditing success events in the policy change event category on domain controllers indicates someone has changed the local security authority (LSA). Answer D is incorrect; auditing success events in the logon event category records when each user logs on to or logs off from the computer. 39. Answer: D. Auditing success events in the logon event category records when each user logs on to or logs off from the computer. Answer A is incorrect. Auditing success events in the policy change event category will record success and failure events in the system events. Answer B is incorrect. Auditing success events in the policy change event category on domain controllers indicates someone has changed the local security authority (LSA). Answer C is incorrect; auditing success events in the account management event category is used to verify changes that were made to account properties and group properties.
216
Chapter 3
40. Answer: C. Auditing success events in the account logon event category on domain controllers is used to verify when users log on to or log off from the domain. Answer A is incorrect. Auditing success events in the policy change event category will record success and failure events in the system events. Answer B is incorrect. Auditing success events in the policy change event category on domain controllers indicates someone has changed the local security authority (LSA). Answer D is incorrect; auditing success events in the logon event category records when each user logs on to or logs off from the computer.
Objective 3.7: Implement assessment tools and techniques to discover security threats and vulnerabilities. 1. Answer: A. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. 2. Answer: D. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. 3. Answer: C. A protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.
Domain 3.0: Threats and Vulnerabilities
217
4. Answer: B. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses testing for the presence of known vulnerabilities in software configuration and accessible services. 5. Answer: D. Open Vulnerability Assessment Language (OVAL) is intended as an international language for representing vulnerability information using an XML schema for expression, allowing tools to be developed to test for identified vulnerabilities in the OVAL repository. Answer A is incorrect because it describes the Open Systems Interconnection reference model (OSI model). Answer B is incorrect because it describes IEEE 802 standards. Answer C is incorrect because it describes the International Organization for Standardization (ISO). 6. Answer: A. Within U.S. governmental agencies, vulnerability may be discussed using the Open Vulnerability Assessment Language (OVAL) sponsored by the Department of Homeland Security’s National Cyber Security Division (NCSD). Answer B is incorrect because IEEE refers to a family of IEEE standards dealing with local area networks and metropolitan area networks. Answer C is incorrect because the International Organization for Standardization, widely known as ISO, is an international-standardsetting body composed of representatives from various national standards organizations. Answer D is incorrect because the Information Systems Security Association is a security-focused group. 7. Answer: A. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Port scanners are useful in creating an inventory of services hosted on networked systems. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. 8. Answer: C. A protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Individual protocols, specific endpoints, or sequential access attempts may be identified using this utility, which is often referred to as a packet sniffer. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP
218
Chapter 3
addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. 9. Answer: D. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. Unlike port scanners, which test only for the availability of services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of vulnerability. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. 10. Answer: B. Code reviews are typically conducted using automated software programs designed to check code, as well as manual human checks, in which someone not associated with development combs through the code. Answer A is incorrect because an architecture review is an assessment of system architecture that considers the entire system. It provides the ability to identify faulty components and interaction between various elements. Answer C is incorrect because design review refers more specifically to the components of the architecture at a more micro level. A review of design will consider various elements such as compatibility, modularity, reusability, and, of course, security. Answer D is incorrect. The attack surface refers to the amount of running code, services, and user-interaction fields and interfaces. 11. Answer: D. The attack surface refers to the amount of running code, services, and user-interaction fields and interfaces. Answer A is incorrect because an architecture review is an assessment of system architecture that considers the entire system. It provides the ability to identify faulty components and interaction between various elements. Answer B is incorrect. Code reviews are typically conducted using automated software programs designed to check code, as well as manual human checks, in which someone not associated with development combs through the code. Answer C is incorrect because design review refers more specifically to the components of the architecture at a more micro level. A review of design will consider various elements such as compatibility, modularity, reusability, and, of course, security. 12. Answer: A. An architecture review is an assessment of system architecture that considers the entire system. It provides the ability to identify faulty components and interaction between various elements. Answer B is incorrect. Code reviews are typically conducted using automated software programs designed to check code, as well as manual human checks, in which someone not associated with development combs through the code. Answer C is incorrect because design review refers more specifically to the components of the architecture at a more micro level. A review of design will consider various elements such as compatibility, modularity, reusability, and, of course, security. Answer D is incorrect. The attack surface refers to the amount of running code, services, and user-interaction fields and interfaces.
Domain 3.0: Threats and Vulnerabilities
219
13. Answer: D. Password crackers should provide only the relative strength of a password, rather than the password itself, to avoid weakening logon responsibility under evidentiary discovery actions. Answers A, B, and C are incorrect because password crackers should not provide the password itself to avoid disclosure under e-discovery proceedings. 14. Answer: B. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. This information can be used to identify single points of failure, conduct a network inventory, and create graphical details suitable for reporting on network configurations. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. 15. Answer: C. A protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Individual protocols, specific endpoints, or sequential access attempts may be identified using this utility, which is often referred to as a packet sniffer. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.
Objective 3.8: Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning. 1. Answer: B. Friendly attacks against a network test the security measures put into place. Such attacks are referred to as penetration tests or simply “pen tests.” Answer A and C are incorrect because a vulnerability assessment or a security assessment are not directed efforts to exploit vulnerabilities in an attempt to gain access to networked resources. Answer D is incorrect because a compliance test has nothing to do with penetration testing.
220
Chapter 3
2. Answer: A, C. Penetration tests may cause some disruption to network operations as a result of the actual penetration efforts conducted. Penetration tests can also make legitimate attacks by generating false data in intrusion detection systems/intrusion prevention systems (IDS/IPS). Answers B and D are incorrect; although internal and external users may be affected, these are not the most serious downsides of penetration testing. 3. Answer: B, C. Some systems administrators may perform amateur pen tests against networks in an attempt to prove a particular vulnerability exists or to evaluate the overall security exposure of a network. This is a bad practice because it generates false intrusion data, may weaken the network’s security level, and may be a violation of privacy laws, regulatory mandates, or business entity guidelines. Answers A and D are incorrect because the statements are contrary to the correct answers. 4. Answer: D. Vulnerability assessments may be complemented by directed efforts to exploit vulnerabilities in an attempt to gain access to networked resources. Penetration testing includes all of the process in vulnerability assessment plus an important extra step, which is to exploit the vulnerabilities found in the discovery phase. Based in the previous information, answers A, B, and C are incorrect. 5. Answer: A. Penetration tests can also make legitimate attacks by generating false data in IDS systems, concealing aggression that is otherwise unrelated to the officially sanctioned penetration test. Answers B and C are incorrect; although they are both concerns, they are not the main security risk. Answer D is incorrect; penetration testing itself does not weaken the network’s security level; however, amateur pen testing can. 6. Answer: A. A black box test is conducted with the assessor having no information or knowledge about the inner workings of the system or knowledge of the source code, for example. Answer B is incorrect because white box testing, also called clear box or glass box, provides more transparency. White box techniques are often tests to see if programming constructs are placed correctly and carry out the required actions or not. Answer C is incorrect because gray box testing uses a combination of both white and black box techniques. This can be more easily thought of as being translucent. Answer D is incorrect because green box testing is a testing process that takes multiple integrated systems that have passed system testing as input and tests their required interactions. 7. Answer: B. White box testing, also called clear box or glass box, provides transparency. White box techniques are often tests to see if programming constructs are placed correctly and carry out the required actions or not. Answer A is incorrect because black box testing is conducted with the assessor having no information or knowledge about the inner workings of the system or knowledge of the source code for example. Answer C is incorrect because gray box testing uses a combination of both white and black box techniques. This can be more easily thought of as being translucent. Answer D is incorrect because green box testing is a testing process that takes multiple integrated systems that have passed system testing as input and tests their required interactions.
Domain 3.0: Threats and Vulnerabilities
221
8. Answer: B. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. 9. Answer: C. A password cracker is a software utility that allows direct testing of user logon password strength by conducting a brute-force password test using dictionary terms, specialized lexicons, or mandatory complexity guidelines. Answer A is incorrect. Password Locker is a commercial program that lets you save passwords, recover passwords, and manage and form-fill all your usernames and passwords. Answer B is incorrect because a password generator creates random passwords. Answer D is incorrect. A password keychain, most commonly found on Apple computers, keeps track of your passwords for any type of account. 10. Answer: A. Unlike port scanners, which test only for the availability of services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of vulnerability. Answers B, C, and D are incorrect because they do not accurately describe port scanners or vulnerability scanners.
This page intentionally left blank
4
CHAPTER FOUR
Domain 4.0: Application, Data, and Host Security Application, data, and host security become the major focus of security as we move to a more web-based world and exploits such as cross-site scripting and SQL injections are an everyday occurrence. Web-based applications and database servers contain a wealth of valuable data. Internally, application servers store a wide variety of data from web pages to critical data and sensitive information. Regulatory compliance issues make it necessary to have sound procedures in place for the security of applications, data, and hosts. Domain 4 of the Security+ exam requires that you are familiar with securing host systems, applications, and organizational data. To secure devices, you must also understand the basic concepts of encryption and how data is stored. Be sure to give yourself plenty of time to review all these concepts. The following list identifies the key areas from Domain 4.0 (which counts as 16% of the exam) that you need to master: . Explain the importance of application security . Carry out appropriate procedures to establish host
security . Explain the importance of data security
224
Chapter 4
✓
Quick Check
Practice Questions Objective 4.1: Explain the importance of application security. 1. The organization is concerned about bugs in commercial off-theshelf (COTS) software. Which of the following may be the only means of reviewing the security quality of the program?
❍ A. ❍ B. ❍ C. ❍ D.
Cross-site scripting Input validation Cross-site request forgery
Detailed Answer: 250
Input validation error Cross-site scripting Cross-site request forgery Quick Answer: 248 Detailed Answer: 250
Buffer overflow Cross-site request forgery Cross-site scripting Input validation error
4. Never inserting untrusted data except in allowed locations can be used to mitigate which of the following attacks? (Select two answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Buffer overflow
3. Adding a token for every POST or GET request that is initiated from the browser to the server can be used to mitigate which of the following attacks?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 250
Fuzzing
2. Which of the following is an attack in which the end user executes unwanted actions on a web application while the user is currently authenticated?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Buffer overflow Cross-site request forgery Cross-site scripting Input validation error
Quick Answer: 248 Detailed Answer: 250
Domain 4.0: Application, Data, and Host Security
225
✓
Quick Check
5. Which of the following are steps that can be taken to harden FTP services?
❍
A. Anonymous access to share files of questionable or undesirable content should be limited.
❍
B. Regular review of networks for unauthorized or rogue servers.
❍
C. Technologies that allow dynamic updates must also include access control and authentication.
Quick Answer: 248 Detailed Answer: 250
❍ D. Unauthorized zone transfers should also be restricted. 6. Which of the following are steps that can be taken to harden DHCP services?
❍
A. Anonymous access to share files of questionable or undesirable content should be limited.
❍
B. Regular review of networks for unauthorized or rogue servers.
❍
C. Technologies that allow dynamic updates must also include access control and authentication.
Quick Answer: 248 Detailed Answer: 250
❍ D. Unauthorized zone transfers should also be restricted. 7. Which of the following types of attacks can be done by either convincing the users to click an HTML page the attacker has constructed or insert arbitrary HTML in a target website that the users visit?
❍
Quick Answer: 248 Detailed Answer: 251
A. Buffer overflow
❍ B. Cross-site request forgery ❍ C. Cross-site scripting ❍ D. Input validation error 8. Which of the following types of attacks is executed by placing malicious executable code on a website?
❍ A. ❍ B. ❍ C. ❍ D.
Buffer overflow Cross-site request forgery Cross-site scripting Input validation error
Quick Answer: 248 Detailed Answer: 251
226
Chapter 4
✓
Quick Check
9. Which of the following types of attacks is characterized by client-side vulnerabilities presented by ActiveX or JavaScript code running within the client’s browser?
❍ A. ❍ B. ❍ C. ❍ D.
Cross-site request forgery Cross-site scripting Input validation error
Network monitoring Input validation Quick Answer: 248 Detailed Answer: 251
Testing Review Implementation Design Quick Answer: 248 Detailed Answer: 251
Fuzzing Testing Input validation Browser initiated token request
13. In which of the following types of fuzzing are forged packets sent to the tested application and then replayed?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 251
Patch management
12. Buffer overflows, format string vulnerabilities, and utilization of shell-escape codes can be mitigated by which of the following practices?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Application baselining
11. In which of the following phases should code security first be implemented?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 251
Buffer overflow
10. An organization has had a rash of malware infections. Which of the following can help mitigate the number of successful attacks?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Application fuzzing Protocol fuzzing File format fuzzing Web page fuzzing
Quick Answer: 248 Detailed Answer: 252
Domain 4.0: Application, Data, and Host Security
227
✓
Quick Check
14. Which of the following is a step that can be taken to harden data?
❍
A. Anonymous access to share files of questionable or undesirable content should be limited.
❍
B. Technologies that allow dynamic updates must also include access control and authentication.
❍
C. Secure storage and backup of storage area networks (SANs).
Quick Answer: 248 Detailed Answer: 252
❍ D. Unauthorized zone transfers should also be restricted. 15. Which of the following are basic areas of hardening? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Application Internet Network
Detailed Answer: 252
Application Internet Network Quick Answer: 248 Detailed Answer: 252
Operating system Application Internet Network
18. In which of the following hardening areas would hotfixes, patches, and service packs occur? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Operating system
17. In which of the following hardening areas would disabling unnecessary protocols and services occur?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 252
Operating system
16. In which of the following hardening areas would file-level security solutions occur? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Operating system Application Internet Network
Quick Answer: 248 Detailed Answer: 252
228
Chapter 4
✓
Quick Check
19. Which of the following is critical in hardening a network?
❍ A. ❍ B. ❍ C. ❍ D.
File-level security Configuring auditing Mapping avenues of access
Detailed Answer: 253
Hotfix Patch Maintenance release Quick Answer: 248 Detailed Answer: 253
Service pack Hotfix Patch Maintenance release
22. Which of the following updates is generally used to eliminate security vulnerabilities?
❍
Quick Answer: 248
Service pack
21. Which of the following updates is a major revision of functionality and operation?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 253
Configuring log files
20. Which of the following updates are very specific and targeted toward an exact problem?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Quick Answer: 248 Detailed Answer: 253
A. Service pack
❍ B. Hotfix ❍ C. Patch ❍ D. Maintenance release 23. Application hardening practices should include reviewing which of the following? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248 Detailed Answer: 253
Key management Default administration accounts Standard passwords Behavior-based profiles
24. Which of the following best describes why regular update reviews for all deployed operating systems is imperative?
❍
A. Default administration accounts may have been compromised.
❍
B. Behavior-based profiles may have changed.
Quick Answer: 248 Detailed Answer: 254
Domain 4.0: Application, Data, and Host Security
229
✓
Quick Check
❍
C. Automated attacks make use of common vulnerabilities.
❍ D. Firmware updates may have been accidentally missed. 25. Which of the following best describes why public key infrastructure (PKI) implementations must be properly configured and updated?
❍ ❍ ❍
Quick Answer: 248 Detailed Answer: 254
A. Behavior-based profiles may have changed. B. To maintain key and ticket stores. C. Automated attacks make use of common vulnerabilities.
❍ D. To isolate access attempts. 26. Hardening of the operating system includes which of the following? (Select all correct answers.)
❍
Quick Answer: 248 Detailed Answer: 254
A. Updating the system firmware
❍ B. Configuring log files and auditing ❍ C. Implementation of account lockout policies ❍ D. Changing default account names and passwords 27. Hardening of the network includes which of the following? (Select all correct answers.)
❍ ❍
Quick Answer: 248 Detailed Answer: 254
A. Configuring devices and firewalls B. Configuring log files and auditing
❍ C. Securing the file system selection ❍ D. Updating the hardware firmware 28. Which of the following is the primary reason public areas of the network should be included in a site survey?
❍ ❍ ❍
Quick Answer: 248 Detailed Answer: 254
A. It mitigates unsecure access to a secured network. B. It addresses emergent hardware-related vulnerabilities. C. It isolates access attempts within the operating system environment.
❍ D. It allows the proper level of access control. 29. Which of the following is the primary reason regular log review is critical for web servers?
❍ ❍
A. To prevent SMTP relay from being used by spammers B. To verify URL values are not exploiting unpatched buffer overruns
Quick Answer: 248 Detailed Answer: 255
230
Chapter 4
✓
Quick Check
❍
C. To confirm that password details are not being intercepted
❍ D. To prevent poisoning by unauthorized zone transfers 30. Which of the following is the primary reason hardening is necessary for email servers?
❍ ❍
A. To prevent SMTP relay from being used by spammers
❍
C. To confirm that password details are not being intercepted
Quick Answer: 248 Detailed Answer: 255
B. To verify URL values are not exploiting unpatched buffer overruns
❍ D. To prevent poisoning by unauthorized zone transfers 31. NNTP servers raise many of the same security considerations risks as which of the following server types?
❍
Quick Answer: 248 Detailed Answer: 255
A. Database
❍ B. DNS ❍ C. Email ❍ D. DHCP 32. Which of the following is the primary reason hardening is necessary for DNS servers?
❍ ❍
A. To prevent SMTP relay from being used by spammers
❍
C. To confirm that password details are not being intercepted
Quick Answer: 248 Detailed Answer: 255
B. To verify URL values are not exploiting unpatched buffer overruns
❍ D. To prevent poisoning from forged query results 33. Which of the following is the primary reason regular log review is critical for FTP servers?
❍ ❍
A. To prevent SMTP relay from being used by spammers
❍
C. To confirm that password details are not being intercepted
B. To verify URL values are not exploiting unpatched buffer overruns
❍ D. To prevent poisoning by unauthorized zone transfers
Quick Answer: 248 Detailed Answer: 255
Domain 4.0: Application, Data, and Host Security
231
✓
Quick Check
34. Which of the following is the primary reason hardening is necessary for print servers?
❍ ❍
Quick Answer: 248 Detailed Answer: 256
A. To prevent SMTP relay from being used by spammers B. To prevent exposure of access credentials to packet sniffing
❍ C. To prevent client leases from rogue servers ❍ D. To prevent DoS attacks by unauthorized parties 35. DHCP servers raise many of the same security considerations risks as which of the following server types?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 256
Database DNS Email NNTP
36. Data repositories of any type might require specialized security considerations due to which of the following? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Quick Answer: 248 Detailed Answer: 256
Access requirements Bandwidth requirements Processing resources requirements Lease requirements
37. Which of the following is true of network file shares?
❍
A. Scope address pools will flood with insufficient lease duration.
❍
B. They are not secure until default access permissions are removed.
❍
C. If not secured, DoS attacks can prevent proper name resolution.
Quick Answer: 248 Detailed Answer: 256
❍ D. The password is always encrypted in all network file-sharing systems. 38. Which of the following best describes why operating systems that support DHCP server authentication should be used?
❍ ❍
A. To prevent SMTP relay from being used by spammers B. To prevent exposure of access credentials to packet sniffing
❍ C. To prevent client leases from rogue servers ❍ D. To prevent zone transfers by unauthorized parties
Quick Answer: 248 Detailed Answer: 256
232
Chapter 4
✓
Quick Check
39. Which of the following are appropriate methods to improve the security of data repositories? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 256
Use of role-based access control Elimination of unneeded connection libraries Use of discretionary-based access control Elimination of bandwidth restrictions
40. Which of the following enables an administrator to set consistent common security standards for a certain group of computers and enforce common computer and user configurations?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Quick Answer: 248 Detailed Answer: 257
Group Policy User Account Control Task Manager Network Monitor
Objective 4.2: Carry out appropriate procedures to establish host security. 1. Which of the following best describes where host intrusion prevention system software resides?
❍
Quick Answer: 248 Detailed Answer: 257
A. Between the system’s Registry and OS kernel
❍ B. At the application level ❍ C. Between the system’s applications and OS kernel ❍ D. At the network layer 2. Which of the following is the most common detection method used in antivirus programs?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 257
Anomaly detection Misuse detection Scanning Filtering
3. Which of the following is the most common main component of antispam software?
❍ ❍
Quick Answer: 248
A. Anomaly detection B. Misuse detection
Quick Answer: 248 Detailed Answer: 257
Domain 4.0: Application, Data, and Host Security
233
✓
Quick Check
❍ C. Scanning ❍ D. Filtering 4. Which of the following best describes antivirus scanning technology?
❍
A. Identifies virus code based on a unique behavior pattern
❍
B. Identifies virus code based on a unique set of Registry keys
❍
C. Identifies virus code based on a unique string of characters
Quick Answer: 248 Detailed Answer: 257
❍ D. Identifies virus code based on a unique set of commands 5. Which of the following are unintended consequences of using pop-up blockers with high settings? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248 Detailed Answer: 257
Applications or programs might not install. Firewall applications might not work properly. It verifies a legitimate working user account. Information entered is deleted by reloading the page.
6. Which of the following best describes heuristic scanning behavior?
❍
A. Searches for operating system kernel-level changes
❍
B. Looks for instructions not typically found in the application
❍
C. Identifies virus code based on a unique string of characters
Quick Answer: 248 Detailed Answer: 258
❍ D. Monitors both incoming and outgoing connections 7. Which of the following are known issues with using heuristic scanning methods? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Buffer overflow Susceptible to false positives Cannot identify new viruses without database update Logic bomb
Quick Answer: 248 Detailed Answer: 258
234
Chapter 4
✓
Quick Check
8. Which of the following best describes a false positive?
❍
A. The software classifies a nonintrusive action as a possible intrusion.
❍
B. The software detects virus-like behavior and pops up a warning.
❍
C. The software classifies an intrusive as a nonintrusive action.
Quick Answer: 248 Detailed Answer: 258
❍ D. The software fails to detect virus-like behavior. 9. When an organization implements a decentralized antispam software solution, which of the following will happen?
❍
Quick Answer: 248 Detailed Answer: 258
A. A central server pushes updates to the client machines.
❍ B. The antispam vendor is responsible for the updates. ❍ C. The department manager is responsible for updates. ❍ D. The individual users are responsible for updates. 10. Which of the following will result when the antispam software filter level is set to high? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
More false positives Less spam will be filtered More spam will be filtered Quick Answer: 248 Detailed Answer: 258
It is considered part of the white list. It is considered part of the blacklist. It is considered part of the gray list. It is considered part of the brown list.
12. Which of the following best describes the result of adding an email address to the blocked list?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 258
Fewer false positives
11. Which of the following best describes the result of adding an email address to the approved list?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
It is considered part of the white list. It is considered part of the blacklist. It is considered part of the gray list. It is considered part of the brown list.
Quick Answer: 248 Detailed Answer: 258
Domain 4.0: Application, Data, and Host Security
235
✓
Quick Check
13. Which of the following are characteristics of pop-ups? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Most are integrated in toolbars. Many are an annoyance. Some are malicious.
Flash can bypass a pop-up blocker. The user cannot adjust the settings.
Detailed Answer: 259
Medium High Custom
Pop-up used to install software
Quick Answer: 248 Detailed Answer: 259
Pop-up used to fill-in forms Unseen until the current window is closed Floating pop-up in a web page
Pop-up used to install software
Quick Answer: 248 Detailed Answer: 259
Pop-up used to fill-in forms Unseen until the current window is closed Floating pop-up in a web page
18. Which of the following is the most likely reason that certain messages continue to pass though the spam filter even though they are set to the organizational specifications?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Low
17. Which of the following best describes a hover ad?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 259
Many are integrated into toolbars.
16. Which of the following best describes a pop-under ad?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Most block only JavaScript.
15. Which of the following pop-up blocker settings will block most automatic pop-ups but still allow functionality?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 259
Some are helpful.
14. Which of the following is true about pop-up blockers? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
The software is inferior and should be returned. The software settings need to be adjusted. The software can’t assign meaning to words. The software needs to be retrained.
Quick Answer: 248 Detailed Answer: 259
236
Chapter 4
✓
Quick Check
19. Which of the following is a part of heuristic antispam filtering?
❍ A. ❍ B. ❍ C. ❍ D.
A predefined rule set A predefined set of commands
A predefined set of Registry keys
Misnomer Anomaly Quick Answer: 248 Detailed Answer: 260
Industry standards Organizational requests Governmental mandates Regulatory bodies Quick Answer: 248 Detailed Answer: 260
Security cables Server cages Locked cabinet Hardware locks
23. Which of the following methods would be the most effective method to physically secure computers that are used in a lab environment that operates on a part-time basis?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 259
Signature
22. Which of the following methods would be the most effective method to physically secure laptops that are used in an environment such as an office?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Heuristic
21. Which of the following are the most compelling reasons that configuration baselines have been established? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 259
A predefined character set
20. Which of the following best describes the term for a unique string of characters used in antivirus software?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Security cables Server cages Locked cabinet Hardware locks
Quick Answer: 248 Detailed Answer: 260
Domain 4.0: Application, Data, and Host Security
237
✓
Quick Check
24. Which of the following methods would be the most effective method to physically secure tower style computers in a financial organization?
❍ A. ❍ B. ❍ C. ❍ D.
Server cages Locked cabinet Hardware locks
An efficient method to connect to remote sites An effective system for file-level security Quick Answer: 248 Detailed Answer: 261
Virtualization Network storage policies VPN remote access Roaming profiles Quick Answer: 248 Detailed Answer: 261
GPS tracking Voice encryption Remote wipe Passcode policy
28. Which of the following is needed to establish effective security baselines for host systems? (Select two correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 260
A policy for remote wipe
27. An organization is looking for a mobile solution that will allow both executives and employees to discuss sensitive information without having to travel to secure company locations. Which of the following fulfills this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
A policy for antivirus updates
26. An organization is looking to add a layer of security and improves enterprise desktop management. Which of the following fulfills this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 260
Security cables
25. Which of the following is included in hardening a host operating system?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 248
Cable locks Mandatory settings Standard application suites Decentralized administration
Quick Answer: 249 Detailed Answer: 261
238
Chapter 4
✓
Quick Check
29. Which of the following procedures should be used to properly protect a host from malware? (Select two correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Antivirus software Content filtering software Web tracking software
Host software baselining Roaming profiles Quick Answer: 249 Detailed Answer: 261
GPS tracking Voice encryption Remote wipe Passcode policy Quick Answer: 249 Detailed Answer: 262
GPS tracking Voice encryption Remote wipe Passcode policy
33. Which of the following is the most effective method that can be used to prevent data from being accessed in the event the device is lost or stolen?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 261
Network storage policies
32. Which of the following is a function that can be performed to try to prevent unsecured data from being accessed in the event the device is lost or stolen?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Virtualization
31. An organization is looking for a basic mobile solution that will be used to prevent access to users’ phones. Which of the following fulfills this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 261
Pop-up blocking software
30. Which of the following will help track changes to the environment when an organization needs to keep legacy machines?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
GPS tracking Device encryption Remote wipe Passcode policy
Quick Answer: 249 Detailed Answer: 262
Domain 4.0: Application, Data, and Host Security
239
✓
Quick Check
34. Which of the following provides a “sandboxed” system that can be used to investigate malware?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 262
Virtualization Network storage Host software baselining Application baselining
35. Which of the following applications should be used to properly protect a host system from malware? (Select two correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Quick Answer: 249 Detailed Answer: 262
Antispam software Antivirus software Content filtering software Web tracking software
Objective 4.3: Explain the importance of data security. 1. Which of the following type of hardware vulnerability can allow local users to cause a denial of service or the system to not boot?
❍ ❍
Quick Answer: 249 Detailed Answer: 262
A. USB B. BIOS
❍ C. NAS ❍ D. PDA 2. Which of the following is an inherent security risk when using network attached storage?
❍ ❍
A. It is easy to lose this type of storage device.
❍
C. Organizations often fail to protect data on storage subsystems.
B. Running applications this way leaves little trace on the host system.
❍ D. Antivirus software cannot be installed on large storage systems.
Quick Answer: 249 Detailed Answer: 262
240
Chapter 4
✓
Quick Check
3. Which of the following is the primary security concern associated with cell phones and other mobile devices?
❍ ❍
A. This type of storage device can easily be lost or stolen.
❍
C. The data cannot be encrypted on this type of storage device.
Quick Answer: 249 Detailed Answer: 262
B. Antivirus software cannot be installed on this type of storage device.
❍ D. It is easy to crack the password on this type of storage device. 4. Which of the following can result in the exploitation of a BIOS vulnerability? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
System to not boot System to lock up Denial of service
Detailed Answer: 263
There is no way to scan the device for malware. The data transferred cannot be encrypted. The device can easily break off in the attached computer. Quick Answer: 249 Detailed Answer: 263
Edit the Registry. Fill the USB slots with glue. Edit Security Accounts Manager. Use Group Policy.
7. Which of the following are ways the BIOS can be compromised? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
A disgruntled employee can easily misuse data.
6. Which of the following is the most appropriate method to disable unauthorized users from accessing USB storage devices?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 263
Hard drive failure
5. Which of the following is the greatest security risk when allowing personal small, high-capacity, removable storage devices on the network?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Modifying Registry keys Known vulnerabilities Bypassing access control The BIOS password
Quick Answer: 249 Detailed Answer: 263
Domain 4.0: Application, Data, and Host Security
241
✓
Quick Check
8. Which of the following is an inherent security risk associated when allowing cell phones and other mobile devices on the network?
❍ A. ❍ B. ❍ C. ❍ D.
The device can be synched to the user desktop. The device can easily be compromised. Employee productivity is greatly reduced.
Not allowing attachments Requiring both to be password protected Quick Answer: 249 Detailed Answer: 263
Cracking the BIOS password Deleting the contents of the MBR Deleting the contents of the CMOS RAM Overloading the keyboard buffer Quick Answer: 249 Detailed Answer: 263
Hardware token Lock Password ACL
12. Which of the following is a correct statement regarding the BIOS passwords on a desktop and on a laptop?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 263
Encrypting the communication
11. System access to the BIOS configuration utility is controlled by which of the following?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Limiting email address access
10. Which of the following methods can be used to bypass BIOS access control? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 263
The data transferred cannot be encrypted.
9. Which of the following is the primary method used to reduce the risks associated with allowing email to cell phone access?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Desktop passwords are automatically encrypted. Laptop passwords are automatically encrypted. Desktop passwords are usually flashed into firmware. Laptop passwords are usually flashed into firmware.
Quick Answer: 249 Detailed Answer: 264
242
Chapter 4
✓
Quick Check
13. Which of the following may be used to bypass the password on a laptop? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Lock pick Hardware dongle Reseating the memory
Changing the BIOS password frequently Using an HDD password Quick Answer: 249 Detailed Answer: 264
Data encryption Accessibility of multiple computers Malware infection Accessibility of information Quick Answer: 249 Detailed Answer: 264
Virus Rootkit Too low of a workload Theft of proprietary information
17. Which of the following should be implemented when employee handheld devices send large quantities of text messages to random numbers?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 264
Creating a BIOS password policy
16. Which of the following best describes the probable cause when employee handheld devices send large quantities of text messages to random numbers?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Using the same BIOS password for all machines
15. Which of the following is the main underlying concern when allowing small, high-capacity, removable storage devices on the corporate network?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 264
Special loopback device
14. Which of the following can minimize the risks associated with BIOS vulnerabilities? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Increased work loads Intrusion detection Antivirus software Data encryption
Quick Answer: 249 Detailed Answer: 264
Domain 4.0: Application, Data, and Host Security
243
✓
Quick Check
18. Which of the following are security concerns when allowing removable hard drives such as small passport types on the network? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Data theft Reduced productivity Information leakage
Prohibiting the use of media, including CDs Requiring device registration with the IT department Quick Answer: 249 Detailed Answer: 265
Encryption Password protection Immediate dismissal of the employee Policies dictating proper employee remediation Quick Answer: 249 Detailed Answer: 265
USB locks on ports Secure passwords Antivirus software Data encryption
22. Which of the following security mechanisms should be considered when dealing with large data repositories? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 265
Issuing authorized devices and access
21. Which of the following are essential parts of SAN or NAS security? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Placing a USB lock on ports
20. Which of the following is currently the most effective method to minimize data theft if a storage device is lost?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 264
Malware infection
19. Which of the following is the best approach to prevent unauthorized use of removable storage and portable devices?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Key management Secure logging Authentication devices Encryption
Quick Answer: 249 Detailed Answer: 265
244
Chapter 4
✓
Quick Check
23. Which of the following storage devices would require protection for data considered “at rest”?
❍ A. ❍ B. ❍ C. ❍ D.
PDA NAS BIOS
26.
Too many incorrect guesses can lock it out forever. Too many incorrect guesses can destroy the BIOS. Quick Answer: 249 Detailed Answer: 265
A DoS attack. A virus infection. The MBR has been changed. The system boot order has been changed. Quick Answer: 249 Detailed Answer: 266
Partnering vendors Contract workers Internal users External users
27. Your organization is exploring data loss prevention solutions. The proposed solution is an end-point solution. This solution is targeting which of the following data states?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 265
Manufacturer created backdoors.
Which of the following groups poses the greatest threat to an organization because they have the most frequent access to data and the opportunity to either deliberately sabotage it or accidentally delete it?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
They can easily be guessed.
25. Which of the following is the most likely result of the physical compromise of the BIOS?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 265
USB
24. Which of the following is an inherent risk associated with BIOS passwords?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
In motion At rest In use At flux
Quick Answer: 249 Detailed Answer: 266
Domain 4.0: Application, Data, and Host Security
245
✓
Quick Check
28. Which of the following uses a secure cryptoprocessor to authenticate hardware devices, such as PC or laptop?
❍ A. ❍ B. ❍ C. ❍ D.
Full Disk encryption File-level encryption Trusted platform module
Detailed Answer: 266
Key management Weak authentication components Platform support
PKCS#11
Quick Answer: 249 Detailed Answer: 266
PKCS#7 AES EFS
31. Which of the following is the preferred type of encryption used in SaaS platforms?
❍
Quick Answer: 249
Multitenancy
30. Which of the following standards is used in HSMs?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 266
Public key infrastructure
29. Which of the following is one of the biggest challenges associated with database encryption?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Quick Answer: 249 Detailed Answer: 266
A. Application level
❍ B. Database level ❍ C. Media level ❍ D. HSM level 32. Your organization is exploring data loss prevention solutions. The proposed solution is a software network solution installed near the network perimeter to monitor for and flag policy violations. This solution is targeting which of the following data states?
❍ A. ❍ B. ❍ C. ❍ D.
In motion At rest In use At flux
Quick Answer: 249 Detailed Answer: 267
246
Chapter 4
✓
Quick Check
33. Your organization is exploring data loss prevention solutions. The proposed solution is a software storage solution that monitors how confidential data is stored. This solution is targeting which of the following data states?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 267
In motion At rest In use At flux
34. Which of the following is the most useful when you’re dealing with a machine that is being taken on the road, such as those used by traveling executives, sales managers, or insurance agents?
❍ ❍ ❍
Quick Answer: 249
Quick Answer: 249 Detailed Answer: 267
A. Full disk encryption B. File level encryption C. Media level encryption
❍ D. Application level encryption 35. EFS is an example of which of the following?
❍ A. ❍ B. ❍ C. ❍ D.
Full disk encryption Media level encryption Application level encryption
Quick Answer: 249 Detailed Answer: 267
Full disk encryption File level encryption Media level encryption Application level encryption
37. Which of the following is commonly used in the banking sector to secure numerous large, bulk transactions?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 267
File level encryption
36. Which of the following is the most useful when you’re dealing with data that is stored in a shared cloud environment?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
Full disk encryption HSM TPM File level encryption
Quick Answer: 249 Detailed Answer: 268
Domain 4.0: Application, Data, and Host Security
247
✓
Quick Check
38. Which of the following is a hardware solution typically attached to the circuit board of the system used for greater security protection for processes such as digital signing, mission critical applications, and businesses where high security is required?
❍ A. ❍ B. ❍ C. ❍ D.
HSM TPM File level encryption Quick Answer: 249 Detailed Answer: 268
VPC HSM TPM PKI
40. In which of the following types of encryption does authentication happen on power up of the drive through either a software preboot authentication environment or with a BIOS password?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 268
Full disk encryption
39. Which of the following is a cloud-based security solution mainly found in private datacenters?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 249
TPM HSM Hard disk encryption File level encryption
Quick Answer: 249 Detailed Answer: 268
248
Chapter 4
Quick-Check Answer Key Objective 4.1: Explain the importance of application security. 1. A
15. A, B, D
28. A
2. D
16. A, B
29. B
3. B
17. D
30. A
4. A, D
18. A, B
31. C
5. A
19. D
32. D
6. B
20. B
33. C
7. B
21. A
34. D
8. C
22. C
35. B
9. B
23. B, C
36. A, B, C
10. B
24. C
37. B
11. D
25. B
38. C
12. C
26. B, C, D
39. A, B
13. B
27. A, B, D
40. A
14. C
Objective 4.2: Carry out appropriate procedures to establish host security. 1. C
10. B, D
19. A
2. C
11. A
20. B
3. D
12. B
21. A, C, D
4. C
13. A, C, D
22. A
5. A, D
14. A, B, C
23. C
6. B
15. B
24. B
7. B, C
16. C
25. D
8. A
17. D
26. A
9. D
18. C
27. B
Domain 4.0: Application, Data, and Host Security
28. B, C
31. D
34. A
29. A, B
32. C
35. A, B
30. C
33. B
Objective 4.3: Explain the importance of data security. 1. B
15. D
29. B
2. C
16. A
30. A
3. A
17. C
31. A
4. B, D
18. A, B, D
32. A
5. A
19. B
33. B
6. D
20. A
34. A
7. B, C, D
21. C, D
35. B
8. B
22. A, B, C, D
36. D
9. B
23. C
37. B
10. A, C, D
24. B
38. C
11. C
25. D
39. A
12. D
26. C
40. C
13. A, C
27. C
14. B, C
28. D
249
250
Chapter 4
Answers and Explanations Objective 4.1: Explain the importance of application security. 1. Answer: A. In some closed application instances, fuzzing may be the only means of reviewing the security quality of the program. Answer B is incorrect because cross-site scripting (XXS) vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. C is incorrect because input validation tests whether an application properly handles input from a source outside the application destined for internal processing. Answer D is incorrect because Cross-site Request Forgery (XSRF) is an attack in which the end user executes unwanted actions on a web application while the user is currently authenticated. 2. Answer: D. Cross-site Request Forgery (XSRF) is an attack in which the end user executes unwanted actions on a web application while the user is currently authenticated. Answer A is incorrect because a buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions. Answer B is incorrect because input validation errors are a result of improper field checking in the code. Answer C is incorrect because cross-site scripting (XXS) vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. 3. Answer: B. To mitigate Cross-site Request Forgery (XSRF) attacks, the most common solution is to add a token for every POST or GET request that is initiated from the browser to the server. Answer A is incorrect because buffer overflows are associated with input validation. Answer C is incorrect because setting the HTTPOnly flag on the session cookie is used to mitigate XXS attacks. Answer D is incorrect because input validation tests whether an application properly handles input from a source outside the application destined for internal processing. 4. Answers: A, D. A buffer overflow is direct result of poor or incorrect input validation or mishandled exceptions, and input validation errors are a result of improper field checking in the code. Answer B is incorrect because Cross-site Request Forgery (XSRF) is an attack in which the end user executes unwanted actions on a web application while the user is currently authenticated. Answer C is incorrect because crosssite scripting (XXS) vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. 5. Answer: A. Anonymous access to share files of questionable or undesirable content should be limited for proper FTP server security. Answer B is incorrect because it is a hardening practice for DHCP services. Answers C and D are incorrect because they are associated with hardening DNS service. 6. Answer: B. Regular review of networks for unauthorized or rogue servers is a practice used to harden DHCP services. Answer A is incorrect because anonymous access to
Domain 4.0: Application, Data, and Host Security
251
share files of questionable or undesirable content should be limited for proper FTP server security. Answers C and D are incorrect because they are associated with hardening DNS servers. 7. Answer: B. The key element to understanding XSRF is that attackers are betting that users have a validated login cookie for the website already stored in their browser. All they need to do is get that browser to make a request to the website on their behalf. This can be done by either convincing the users to click an HTML page the attacker has constructed or insert arbitrary HTML in a target website that the users visit. Answer A is incorrect because a buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions. Answer C is incorrect because cross-site scripting (XXS) vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer D is incorrect because input validation errors are a result of improper field checking in the code. 8. Answer: C. Cross-site scripting (XXS) vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer A is incorrect because a buffer overflow is direct result of poor or incorrect input validation or mishandled exceptions. Answer B is incorrect. The key element to understanding XSRF is that attackers are betting that users have a validated login cookie for the website already stored in their browser. Answer D is incorrect because input validation errors are a result of improper field checking in the code. 9. Answer: B. The key element to understanding XSRF is that attackers are betting that users have a validated login cookie for the website already stored in their browser. Answer A is incorrect because a buffer overflow is direct result of poor or incorrect input validation or mishandled exceptions. Answer C is incorrect. Cross-site scripting (XXS) vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer D is incorrect because input validation errors are a result of improper field checking in the code. 10. Answer: B. Proactive patch management is necessary to keep your technology environment secure and reliable. Answer A is incorrect because application baselining is similar to operating system baselining in that it provides a reference point for normal and abnormal activity. Answer C is incorrect because network monitoring is used to check network activity. Answer D is incorrect because input validation errors are a result of improper field checking in the code. 11. Answer: D. It is important that security is implemented from the very beginning. In the early design phase, potential threats to the application must be identified and addressed. Ways to reduce the associated risks must also be taken into consideration. Therefore answers A,B, and C are incorrect. 12. Answer: C. Input validation tests whether an application properly handles input from a source outside the application destined for internal processing. Answer A is incorrect because fuzzing allows an attacker to inject random-looking data into a program to see if it can cause the program to crash. Answer B is incorrect because testing is a generic term that encompasses more than what the question is asking. Answer D is incorrect because it is a method used to mitigate Cross-site Request Forgery (XSRF) attacks.
252
Chapter 4
13. Answer: B. In protocol fuzzing, forged packets are sent to the tested application, which can act as a proxy and modify requests on-the-fly, then replay them. Answer A is incorrect because in application fuzzing, attack vectors are within its I/O, such as the user interface, the command-line options, URLs, forms, user-generated content, and RPC requests. Answer C is incorrect because in file format fuzzing, multiple malformed samples are generated and then opened sequentially. Answer D is incorrect because web page fuzzing is not a real term. 14. Answer: C. Hardening efforts for data repositories must address security of the storage and backup of storage area networks (SANs), network access server (NAS) configurations, and directory services such as Microsoft Active Directory and Novell eDirectory. Answer A is incorrect because it is associated with FTP server security. Answers B and D are incorrect because they are associated with hardening DNS services. 15. Answer: A, B, D. The three basic areas of hardening are operating system, application, and network. Answer C is incorrect because the Internet is a shared public network and is not hardened. 16. Answer: A, B. Operating system hardening includes encrypted file support and secured file system selection that allows the proper level of access control. Application hardening includes default application administration accounts and standard passwords. Common services installed by default should also be reviewed and changed or disabled as required. Answer C is incorrect because the Internet is a shared public network and is not hardened. Answer D is incorrect because network hardening involves access restrictions to network services, updates to security hardware and software, and disabling unnecessary protocol support and services. 17. Answer: D. Network hardening involves access restrictions to network services, updates to security hardware and software, and disabling unnecessary protocol support and services. Answer A is incorrect; operating system hardening includes encrypted file support and secured file system selection that allows the proper level of access control. Answer B is incorrect; application hardening includes default application administration accounts and standard passwords Common services installed by default should also be reviewed and changed or disabled as required. Answer C is incorrect because the Internet is a shared public network and is not hardened. 18. Answer: A, B. Operating system hardening includes encrypted file support and secured file system selection. This allows the proper level of access control and allows you to address newly identified exploits and apply security patches, hotfixes, and service packs. Application hardening includes default application administration accounts and standard passwords. Common services installed by default should also be reviewed and changed or disabled as required. Applications must be maintained in an updated state through the regular review of hotfixes, patches, and service packs. Answer C is incorrect because the Internet is not a shared public network and is not hardened. Answer D is incorrect because network hardening involves access restrictions to network shares and services, updates to security hardware and software, and disabling unnecessary protocol support and services.
Domain 4.0: Application, Data, and Host Security
253
19. Answer: D. Mapping avenues of access is critical in hardening a network. This process is a part of the site survey that should be performed for any network, especially those that involve public areas where a simple connection through a workstation might link the protected internal network directly to a public broadband connection. Answers A, B, and C are incorrect because they are part of operating system hardening. 20. Answer: B. Hotfixes are, typically, small and specific-purpose updates that alter the behavior of installed applications in a limited manner. These are the most common type of update. A hotfix is related to a service pack and should be deployed with this in mind. Answer A is incorrect because service packs are major revisions of functionality or service operation in an installed application. Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application. Answer C is incorrect because patches are similar to hotfixes; security patches eliminate security vulnerabilities. They may be mandatory if the circumstances match and need to be deployed quickly. Answer D is incorrect because maintenance releases are incremental updates between service packs or software versions to fix multiple outstanding issues. 21. Answer: A. Service packs are major revisions of functionality or service operation in an installed application or operating system. Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application. Answer B is incorrect because hotfixes are, typically, small and specific-purpose updates that alter the behavior of installed applications in a limited manner. These are the most common type of update. Answer C is incorrect because patches are similar to hotfixes; patches are typically focused updates that affect installed applications. Security patches eliminate security vulnerabilities. They may be mandatory if the circumstances match and need to be deployed quickly. Answer D is incorrect because maintenance releases are incremental updates between service packs or software versions to fix multiple outstanding issues. 22. Answer: C. Patches are similar to hotfixes; patches typically focus on updates that affect installed applications. Security patches eliminate security vulnerabilities. They may be mandatory if the circumstances match and need to be deployed quickly. Answer A is incorrect because service packs are major revisions of functionality or service operation in an installed application. Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application. Answer B is incorrect; hotfixes are, typically, small and specific-purpose updates that alter the behavior of installed applications in a limited manner. These are the most common type of update. Answer D is incorrect because maintenance releases are incremental updates between service packs or software versions to fix multiple outstanding issues. 23. Answer: B, C. In application hardening, default application administration accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required. Answer A is incorrect because key management has to do with certificates. Answer D is incorrect because behavior-based profiles are associated with intrusion detection.
254
Chapter 4
24. Answer: C. It is also imperative to include regular update reviews for all deployed operating systems, to address newly identified exploits and apply security patches, hotfixes, and service packs. Answer A is incorrect; update reviews will not reveal compromised administrative accounts. Answer B is incorrect because behavior-based profiles are associated with intrusion detection. Answer D is incorrect. Firmware updates have to do with hardware, not operating systems. 25. Answer: B. IP Security (IPsec) and public key infrastructure (PKI) implementations must be properly configured and updated to maintain key and ticket stores. Some systems may be hardened to include specific levels of access, gaining the C2 security rating required by many government deployment scenarios. Answer A is incorrect because behavior-based profiles are associated with intrusion detection. It is also imperative to include regular update reviews for all deployed operating systems, to address newly identified exploits and apply security patches, hotfixes, and service packs. Answer C is incorrect; regular update reviews for all deployed operating systems will address newly identified exploits as well as application of security patches, hotfixes, and service packs. Answer D is incorrect. IPsec and PKI have nothing to do with isolating access attempts. 26. Answer: B, C, D. Operating system hardening includes configuring log files and auditing, changing default administrator account names and default passwords, and the institution of account lockout and password policies to guarantee strong passwords that can resist brute-force attacks. File-level security and access control mechanisms serve to isolate access attempts within the operating system environment. Answer A is incorrect because regularly reviewing applied firmware updates and applying those that are required for the network configuration and hardware solutions in use are associated with network hardening practices. 27. Answer: A, B, D. Network hardening practices include configuring log files, auditing, and configuring network devices and firewalls to exclude unsecure protocols, such as raw Telnet sessions that transfer logon and session details in plain-text format. Routing hardware must also be maintained in a current state by regularly reviewing applied firmware updates and applying those that are required for the network configuration and hardware solutions in use. Answer C is incorrect because securing the file system is an operating system hardening activity. 28. Answer: A. Mapping avenues of access is critical in hardening a network. This process is a part of the site survey that should be performed for any network, especially those that involve public areas where a simple connection through a workstation might link the protected internal network directly to a public broadband connection. Wireless networks also create significant avenues for unsecure access to a secured network. A user who configures a PC card on his workstation to allow synchronization of his 802.11-compliant wireless PDA may have inadvertently bypassed all security surrounding an organization’s network. Answer B is incorrect; hardware-related vulnerabilities are associated with network hardening practices. Answer C is incorrect; hardware-related vulnerabilities are associated with operating system hardening practices. Answer D is incorrect; access control is associated with operating system hardening practices.
Domain 4.0: Application, Data, and Host Security
255
29. Answer: B. Regular log review is critical for web servers to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers, and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer C is incorrect. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems, the logon and password details are passed in cleartext and may be subject to interception by packet sniffing. Answer D is incorrect. Unauthorized DNS zone transfers should also be restricted to prevent DNS poisoning attacks. 30. Answer: A. Email service hardening includes preventing SMTP relay from being used by spammers and limiting attachment and total storage per user to prevent denial-ofservice attacks using large file attachments. Answer B is incorrect. Regular log review is critical for web servers to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. Answer C is incorrect. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems, the logon and password details are passed in cleartext and may be subject to interception by packet sniffing. Answer D is incorrect. Unauthorized DNS zone transfers should also be restricted to prevent DNS poisoning attacks. 31. Answer: C. Network News Transfer Protocol (NNTP) servers providing user access to newsgroup posts raise many of the same security considerations risks as email servers. Answers A, B, and D are incorrect. Access control for newsgroups may be somewhat more complex, with moderated groups allowing public anonymous submission (and authenticated access required for post approval). This type of control is not addressed with database, DNS, or DHCP servers. 32. Answer: D. Query results that are forged and returned to the requesting client or recursive DNS query can poison the DNS records. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer B is incorrect. Regular log review is critical for web servers to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. Answer C is incorrect. Because of limitations in the FTP protocol, unless an encapsulation scheme is used between the client and host systems, the logon and password details are passed in cleartext and may be subject to interception by packet sniffing. 33. Answer: C. FTP logs should be spot-checked for password-guessing and brute-force attacks. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems, the logon and password details are passed in cleartext and may be subject to interception by packet sniffing. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer B is incorrect. Regular log review is critical for web servers to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. Answer D is incorrect. Unauthorized DNS zone transfers should also be restricted to prevent DNS poisoning attacks.
256
Chapter 4
34. Answer: D. Print servers pose several risks, including possible security breaches in the event that unauthorized parties access cached print jobs or sensitive printed material. DoS attacks may be used to disrupt normal methods of business, and networkconnected printers require authentication of access to prevent attackers from generating printed memos, invoices, or any other manner of printed materials. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers and limiting attachment and total storage per user to prevent denial-ofservice attacks using large file attachments. Answer B is incorrect. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems, the logon and password details are passed in cleartext and may be subject to interception by packet sniffing. Answer C is incorrect. If the operating system in use does not support DHCP server authentication, attackers may also configure their own DHCP servers within a subnet, taking control of the network settings of clients and obtaining leases from these rogue servers. 35. Answer: B. Dynamic Host Configuration Protocol (DHCP) servers share many of the same security problems associated with other network services, such as DNS servers. DHCP servers may be overwhelmed by lease requests if bandwidth and processing resources are insufficient. Answer A is incorrect because data repositories of any type might require specialized security considerations. Answers C and D are incorrect. Network News Transfer Protocol (NNTP) servers providing user access to newsgroup posts raise many of the same security considerations risks as email servers. 36. Answer: A, B, C. Data repositories of any type might require specialized security considerations, based on the bandwidth and processing resources required to prevent DoS attacks, removal of default password and administration accounts such as the SQL default sa account, and security of replication traffic to prevent exposure of access credentials to packet sniffing. Answer D is incorrect because lease requirements are associated with DHCP servers. 37. Answer: B. Network file shares are not secure until you remove default access permissions. Answer A is incorrect; scope address pools have to do with DHCP servers. Answer C is incorrect because proper name resolution is associated with DNS servers. Answer D is incorrect. The password is not encrypted in many network file-sharing systems. 38. Answer: C. If the operating system in use does not support DHCP server authentication, attackers may also configure their own DHCP servers within a subnet, taking control of the network settings of clients and obtaining leases from these rogue servers. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer B is incorrect. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems, the logon and password details are passed in cleartext and may be subject to interception by packet sniffing. Answer D is incorrect. Unauthorized zone transfers are associated with DNS attacks. 39. Answer: A, B. Data repositories of any type might require specialized security considerations based on the bandwidth and processing resources required. Role-based access control may be used to improve security, and the elimination of unneeded connection libraries and character sets may help to alleviate common exploits. Answers C
Domain 4.0: Application, Data, and Host Security
257
and D are incorrect; using discretionary-based access control and eliminating bandwidth restrictions would relax security, not improve it. 40. Answer: A. Group Policy can be used for ease of administration in managing the environment of users. This can include installing software and updates or controlling what appears on the desktop based on the user’s job function and level of experience. The Group Policy object (GPO) is used to apply Group Policy to users and computers. Answer B is incorrect because User Account Control is used primarily to decrease exposure to unauthorized changes to the operating system. Answers C and D are incorrect because Active Directory and Directory services store information and settings in a central database.
Objective 4.2: Carry out appropriate procedures to establish host security. 1. Answer: C. A host intrusion prevention system software resides between your system’s applications and OS kernel. A HIPS consists of software that sits between your system’s applications and OS kernel. The HIPS will monitor suspicious activity; then it will either block or allow the activity based on the predefined rule set. Therefore, answers A, B, and D are incorrect. 2. Answer: C. The most common method used in an antivirus program is scanning. Scanning searches files in memory, the boot sector, and on the hard disk for identifiable virus code. Scanning identifies virus code based on a unique string of characters known as a signature. Answers A and B are incorrect. A host intrusion detection system uses either misuse detection or anomaly detection. Answer D is incorrect because filtering is associated with antispam programs. 3. Answer: D. The main component of antispam software is heuristic filtering. Heuristic filtering has a predefined rule set that compares incoming email information against the rule set. Answers A and B are incorrect. A host intrusion detection system uses either misuse detection or anomaly detection. Answer C is incorrect because scanning is associated with antivirus programs. 4. Answer: C. The most common method used in an antivirus program is scanning. Scanning searches files in memory, the boot sector, and on the hard disk for identifiable virus code. Scanning identifies virus code based on a unique string of characters known as a signature. Answer A is incorrect because behavior patterns are associated with intrusion detection systems. Answers B and D are incorrect because antivirus software does not base its technologies on Registry keys or commands. It will scan Registry keys, but the technology is based on a unique set of characters to identify malware. 5. Answer: A, D. If all pop-ups are blocked, the user might not be able to install applications or programs. Field help for fill-in forms is often in the form of a pop-up. Some pop-up blockers may delete the information already entered by reloading the page, causing the users unnecessary grief. Answer B is incorrect because firewalls are not affected by pop-up blocker settings. Answer C is incorrect because the answer is associated with email lists.
258
Chapter 4
6. Answer: B. Heuristic scanning looks for instructions or commands that are not typically found in application programs. Answer A is incorrect because it describes rootkit software. Answer C is incorrect because it describes antivirus scanning software. Answer D is incorrect because it describes firewall software. 7. Answer: B, C. Heuristic scanning looks for instructions or commands that are not typically found in application programs. The issue with these methods is that they are susceptible to false positives and cannot identify new viruses until the database is updated. Answers A and D are incorrect. Buffer overflows and logic bombs are malware that have nothing to do with heuristic scanning methods. 8. Answer: A. A false positive occurs when the software classifies an action as a possible intrusion when it is actually a nonthreatening action. Answer B is incorrect because it describes antivirus scanning software. Answer C is incorrect because it describes a false negative. Answer D is incorrect because the end result is a false negative. 9. Answer: D. When antispam software and updates are installed on a central server and pushed out to the client machines, this is called a centralized solution. When the updates are left up to the individual users, you have a decentralized environment. Answer A is incorrect because it describes a centralized solution. Answer B is incorrect. Vendors are never responsible for updating applications on client machines. Answer C is incorrect because making the manager responsible for the updates is not necessarily a decentralized solution. 10. Answer: B, D. Specific spam filtering levels can be set on the user’s email account. If the setting is high, more spam will be filtered, but it may also filter legitimate email as spam, thus causing false positives. Therefore, answers A and C are incorrect because they depict just the opposite. 11. Answer: A. In general, an email address added to the approved list is never considered spam. This is also known as a white list. Using white lists allows more flexibility in the type of email you receive. Putting the addresses of your relatives or friends in your white list allows you to receive any type of content from them. An email address added to the blocked list is always considered spam. This is also known as a blacklist. Answer B is incorrect. Blacklisting is blocking an email address. Answer C is incorrect. Graylisting is related to white listing and blacklisting. What happens is that each time a given mailbox receives an email from an unknown contact (IP), that mail is rejected with a “try again later.” Answer D is incorrect because brownlisting is a concept based on a CBL type system driven by tokens from blocked sites. 12. Answer: B. In general, an email address added to the approved list is never considered spam. This is also known as a white list. Using white lists allows more flexibility in the type of email you receive. Putting the addresses of your relatives or friends in your white list allows you to receive any type of content from them. An email address added to the blocked list is always considered spam. This is also known as a blacklist. Answer A is incorrect. White listing is allowing an email address. Answer C is incorrect. Graylisting is related to whitelisting and blacklisting. What happen is that each time a given mailbox receives an email from an unknown contact (IP), that mail is rejected with a “try again later.” Answer D is incorrect because brownlisting is a concept based on a CBL type system driven by tokens from blocked sites.
Domain 4.0: Application, Data, and Host Security
259
13. Answer: A, C, D. Although some pop-ups are helpful, many are an annoyance, and others can contain inappropriate content or entice the user to download malware. Answer B is incorrect because it describes pop-up blockers, not pop-ups. 14. Answer: A, B, C. Many pop-up blockers are integrated into vendor toolbars. You can circumvent pop-up blockers in various ways. Most pop-up blockers block only the JavaScript; therefore, technologies such as Flash bypass the pop-up blocker. On many Internet browsers, holding down the Ctrl key while clicking a link will allow it to bypass the pop-up filter. Answer D is incorrect because users can adjust the settings on pop-up blockers. 15. Answer: B. Set the software to medium so that it will block most automatic pop-ups but still allow functionality. Keep in mind that you can adjust the settings on pop-up blockers to meet the organizational policy or to best protect the user environment. Answer A is incorrect because it will allow most pop-ups. Answer C is incorrect because it will affect functionality. Answer D is incorrect because the custom setting is not needed. 16. Answer: C. There are several variations of pop-up windows. A pop-under ad opens a new browser window under the active window. These types of ads often are not seen until the current window is closed. They are essentially “floating pop-ups” in a web page. Answers A and B are incorrect because they describe useful pop-ups and are not ads. Answer D is incorrect because it describes a hover ad. Hover ads are Dynamic Hypertext Markup Language (DHTML) pop-ups. 17. Answer: D. There are several variations of pop-up windows. A pop-under ad opens a new browser window under the active window. These types of ads often are not seen until the current window is closed. Hover ads are Dynamic Hypertext Markup Language (DHTML) pop-ups. They are essentially “floating pop-ups” in a web page. Answers A and B are incorrect because they describe useful pop-ups and are not ads. Answer C is incorrect because it describes a pop-under ad. 18. Answer: C. It is important to understand that the spam filter software cannot assign meaning to the words examined. It just tracks and compares the words used. Answer A is incorrect because chances are there is nothing wrong with the software. Answer B is incorrect because adjusting the settings may cause legitimate email to be filtered. Answer D is incorrect because chances are there is nothing wrong with the software. Training the software to recognize spam takes time and often the process must be repeated. 19. Answer: A. Heuristic filtering has a predefined rule set that compares incoming email information against the rule set. The software reads the contents of each message and compares the words in that message against the words in typical spam messages. Each rule assigns a numeric score to the probability of the message being spam. This score is then used to determine whether the message meets the acceptable level set. Answers B, C, and D are incorrect because heuristic filtering is not based on character sets, commands, or Registry keys. 20. Answer: B. Scanning identifies virus code based on a unique string of characters known as a signature. Answer A is incorrect because heuristic filtering has a predefined rule set that compares incoming email information against the rule set. Answer C
260
Chapter 4
is incorrect because a misnomer has nothing to do with security. Answer D is incorrect. Anomaly detection is associated with a HIDS. 21. Answer: A, C, D. Security baselines are often established by governmental mandate, regulatory bodies, or industry representatives, such as the PCI requirements established by the credit card industry for businesses collecting and transacting credit information. Answer B is incorrect because organizational requests are merely requests, and security baselines are often established due to some type of regulation or standard. 22. Answer: A. Security cables with combination locks can provide such security and are easy to use. They are used mostly to secure laptops and leave the equipment exposed. Answer B is incorrect because secure tower and server cages such as PC Safe are designed to bolt to the floor and are made for use in a static environment. Answer C is incorrect because a locked cabinet is an alternative for equipment that is not used or does not have to be physically accessed on a regular, daily basis. Vendors provide solutions such as security cabinet locker that secures CPU towers. The housing is made of durable, heavy duty steel for strength. D is incorrect because a hardware lock is used for license enforcement. 23. Answer: C. A locked cabinet is an alternative for equipment that is not used or does not have to be physically accessed on a regular, daily basis. Vendors provide solutions such as security cabinet locker that secures CPU towers. The housing is made of durable, heavy duty steel for strength. A is incorrect because security cables with combination locks can provide such security and are easy to use but are used mostly to secure laptops and leave the equipment exposed. D is incorrect because PC Safe tower and server cages are designed to bolt to the floor and are meant to be in an environment that is static. D is incorrect because a hardware lock is used for license enforcement. 24. Answer: B. PC Safe tower and server cages are designed to bolt to the floor and are meant to be in an environment that is static. For example, financial businesses have been hit hard by theft of desktop computers because they hold a lot of personal data. Answer A is incorrect. Security cables with combination locks can provide such security, are easy to use, and are used mostly to secure laptops and leave the equipment exposed. Answer C is incorrect because a locked cabinet is an alternative for equipment that is not used or does not have to be physically accessed on a regular, daily basis. Vendors provide solutions such as a security cabinet locker that secures CPU towers. The housing is made of durable, heavy duty steel for strength. D is incorrect because a hardware lock is used for license enforcement. 25. Answer: D. Hardening of the operating system includes planning against both accidental and directed attacks, such as the use of fault-tolerant hardware and software solutions. In addition, it is important to implement an effective system for file-level security, including encrypted file support and secured file system selection that allows the proper level of access control. Answer A is incorrect because it is a host protection measure, not an OS hardening measure. Answer B is incorrect because this is a feature associated with data security, not host hardening. Answer C is incorrect because this is a secure communication measure.
Domain 4.0: Application, Data, and Host Security
261
26. Answer: A. Virtualization adds a layer of security as well as improves enterprise desktop management and control with faster deployment of desktops and fewer support calls due to application conflicts. Answer B is incorrect because network storage policies have nothing to do with desktop management. Answer C is incorrect because VPN remote access will not improve enterprise desktop management. Answer D is incorrect because roaming profiles do not add a layer of security. 27. Answer: B. Mobile voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. Answer A is incorrect because in the event a mobile device is lost, GPS tracking can be used to find the location. Answer C is incorrect because a remote wipe allows the handheld’s data to be remotely deleted in the event the device is lost or stolen. Answer D is incorrect because a screen lock or passcode is used to prevent access to the phone. 28. Answers: B, C. To establish effective security baselines, enterprise network security management requires a measure of commonality between the systems. Mandatory settings, standard application suites, and initial setup configuration details all factor into the security stance of an enterprise network. Answer A is incorrect because cable locks have nothing to do with effective security baselines. Answer D is incorrect because decentralized management does not have anything to do with security baselines. 29. Answers: A, B. All host devices must have some type of malware protection. A necessary software program for protecting the user environment is antivirus software. Antivirus software is used to scan for malicious code in email and downloaded files. Antispam, antispyware software can add another layer of defense to the infrastructure. Pop-up blocking software programs are available through browsers. Answer C is incorrect because content filtering is done at the server level to keep host machines from accessing certain content. Answer D is incorrect because web tracking software merely tracks the sites a person visited. 30. Answer: C. Host software baselining can be done for a variety of reasons, including malware monitoring and creating system images. Generally, the environment needs of an organization will fall into a legacy, enterprise, or high-security client. Answer A is incorrect because virtualization adds a layer of security as well as improves enterprise desktop management and control with faster deployment of desktops and fewer support calls due to application conflicts. Answer B is incorrect because network storage policies have nothing to do with desktop management. Answer D is incorrect because roaming profiles do not add a layer of security. 31. Answer: D. A screen lock or passcode is used to prevent access to the phone. Answer A is incorrect because in the event a mobile device is lost, GPS tracking can be used to find the location. Answer B is incorrect because mobile voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. Answer C is incorrect because a remote wipe allows the handheld’s data to be remotely deleted in the event the device is lost or stolen.
262
Chapter 4
32. Answer: C. A remote wipe allows the handheld’s data to be remotely deleted in the event there is unsecured data on a device that is lost or stolen. Answer A is incorrect because in the event a mobile device is lost, GPS tracking can be used to find the location. Answer B is incorrect because mobile voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. Answer D is incorrect because a screen lock or passcode is used to prevent access to the phone. 33. Answer: B. Just like the data on hard drives, the data on mobiles can be encrypted. Answer A is incorrect because in the event a mobile device is lost, GPS tracking can be used to find the location. Answer C is incorrect. A remote wipe allows the handheld’s data to be remotely deleted in the event the device is lost or stolen. Answer D is incorrect because a screen lock or passcode is used to prevent access to the phone. 34. Answer: A. A virtualized “sandboxed” guest system can help in computer-security research, which enables the study of the effects of some viruses or worms without the possibility of compromising the host system. Answer B is incorrect because network storage has nothing to do with desktop management. Answer C is incorrect because host software baselining can be done for a variety of reasons, including malware monitoring and creating system images. Answer D is incorrect because application baselining is used to monitor changes in application behavior. 35. Answers: A, B. All host devices must have some type of malware protection. A necessary software program for protecting the user environment is antivirus software. Antivirus software is used to scan for malicious code in email and downloaded files. Antispam, antispyware software can add another layer of defense to the infrastructure. Pop-up blocking software programs are available through browsers. Answer C is incorrect because content filtering is done at the server level to keep host machines from accessing certain content. Answer D is incorrect because web tracking software merely tracks the sites a person visited.
Objective 4.3: Explain the importance of data security. 1. Answer: B. A vulnerability in the BIOS can allow local users to cause a denial of service and the system to not boot. Answers A, C, and D are incorrect because they are all types of storage devices. 2. Answer: C. Organizations fail to protect data when it reaches its final resting on these storage subsystems. Although many organizations protect data in motion using encryption, they fail to protect that same data when it reaches its final resting on storage subsystems. Answer A is incorrect. Network attached storage is a large-capacity device, and it not easy to lose. Answer B is incorrect because it describes virtualization. Answer D is incorrect because antivirus software can be installed on large storage systems. 3. Answer: A. Just about everyone carries a cell phone, and most corporate workers have PDAs. These devices have associated risks. The first is theft or loss. It is estimated that eight million cell phones are lost or stolen every year. For many organizations,
Domain 4.0: Application, Data, and Host Security
263
losing a cell phone or a PDA loaded with contacts, emails, and client data can be a severe detriment to business. Handheld devices are rarely password protected, even though they contain a remarkable amount of data. Answer B is incorrect; antivirus software can be installed on mobile systems. Answer C is incorrect because encryption can be used with handheld devices. Answer D is incorrect because cracking the password on handheld devices is no easier than regular password cracking. 4. Answer: B, D. A vulnerability in the BIOS can allow local users to cause a denial of service and the system to not boot. Answer A is incorrect because a hard drive failure has to do with the hard disk itself and nothing to do with the BIOS. Answer C is incorrect because system lockup implies that the machine was already booted and is associated more with attacks that happen after the machine is up and running. 5. Answer: A. Small, high-capacity, removable storage devices present a concern when it comes to corporate security and protecting proprietary information. It is quite simple for a disgruntled employee to take data and sell it. Answers B and C are incorrect because the devices can be scanned for malware and can also be encrypted. Answer D is incorrect because having the device break off in the computer is not a security risk. 6. Answer: D. Group Policy can be used to disable the capacity for unauthorized users to use any USB storage devices. Another layer of protection can be applied by encrypting and properly securing sensitive corporate information. Answer A is incorrect because editing the Registry can cause harm. Answer B is incorrect because filling the USB slots with glue can cause harm to the computer. Answer C is incorrect because the Security Accounts Manager (SAM) stores password information. 7. Answer: B, C, D. The BIOS can be compromised in several ways: the BIOS password, known vulnerabilities, and bypassing access control. Answer A is incorrect because editing the Registry is done after the system had already booted. 8. Answer: B. To provide convenience and redundancy, technology such as WLAN, USB, and Bluetooth connections are used with client software to sync PDAs and cell phones to a user’s desktop computer. There are also enterprise-level product suites. Although this might prevent lost data, it also presents other risks. New security threats targeting cell phones and other mobile devices could quickly become bigger than anything the industry has seen so far. Therefore, answers A, C, and D are incorrect. 9. Answer: B. Security policy should dictate that sensitive data be encrypted. Answer A is incorrect because limiting email address access would cause excessive overhead. Answer C is incorrect because eliminating attachments would not secure the communication. Answer D is incorrect because the use of passwords would not secure the communication. 10. Answer: A, C, D. BIOS access control can be bypassed by cracking the BIOS password, overloading the keyboard buffer, and deleting the contents of the CMOS RAM. Answer B is incorrect because the MBR is part of the hard disk configuration and has nothing to do with the BIOS. 11. Answer: C. System access to the BIOS configuration utility is controlled by a password. After the password is set, the configuration of the computer cannot be changed without inputting the password. Answers A and B are incorrect because they are hardware devices. Answer D is incorrect because Access Control Lists are used on routers and operating systems but not on the BIOS.
264
Chapter 4
12. Answer: D. The BIOS passwords of laptops are a bit different in that the passwords are usually flashed into firmware. Answers A and B are incorrect because encryption is not automatic for all BIOS versions. Answer C is incorrect because desktop BIOS passwords are stored in the CMOS and are not flashed into the firmware. 13. Answer: A, C. Depending on the manufacturer, the laptop may have a hardware dongle or special loopback device to bypass the password. Answer B is incorrect because a lock pick is used for breaking standard locking mechanisms such as a door lock. Answer D is incorrect because reseating the memory will not reset or bypass the password. 14. Answer: B, C. Many organizations do not have a policy for BIOS passwords. In many organizations, most computers share the same BIOS password, and that password is seldom changed. If an attacker manages to gain physical access, a large portion of the network could be compromised. Answer A is incorrect because sharing the same BIOS password is not good practice and leaves the machine vulnerable. Answer D is incorrect because a hard disk drive password is used after the system boots. 15. Answer: D. It is quite simple for a disgruntled employee to misuse data (take the data and sell it, for instance). Of course, the real issue is access to the information. However, if the information is readily available, even employees with good intentions might misplace or have a removable storage device stolen. Answers A, B, and C are incorrect; the main underlying concern is the amount of data that is available to employees, not unencrypted data, the ability to access multiple machines, or malware infection. 16. Answer: A. The more capabilities a device has, the more vulnerable the device. The Cabir virus has been found in about 15 different variations. According to a report from an Ireland-based cell phone security company, in mid-2008 the security company tracked 100,000 virus incidents per day. Answer B is incorrect because rootkits are normally not found on handheld devices. Answers C and D are incorrect because they both imply that the users are the ones sending the text messages. 17. Answer: C. The more capabilities a device has, the more vulnerable the device. The Cabir virus has been found in about 15 different variations. According to a report from an Ireland-based cell phone security company, in mid-2008 the security company tracked 100,000 virus incidents per day. Answer A is incorrect because it implies that the users are the ones sending the text messages. Answer B is incorrect because not all devices currently have intrusion detection software available. Answer D is incorrect because encryption will not eliminate virus threats. 18. Answer: A, B, D. Removable hard drives, especially the small passport types, afford users the convenience to carry files for both their work environment and their home environment in one device. This convenience provides an opportunity for viruses and other malware to spread between networks and physical locations as they share files in both environments and with other users. In addition to malware infections, these devices have a large amount of storage space, so they lend themselves to data theft and information leakage. Answer C is incorrect. Reduced productivity should not be a byproduct of allowing removable hard drives.
Domain 4.0: Application, Data, and Host Security
265
19. Answer: B. A better approach is to combine security policies with purchasing and issuing removable storage devices and encrypting them as necessary. Then allow only the approved devices and block all unauthorized devices. Although answers A and C are viable solutions, they are not the best approach. Answer D is incorrect because it causes undue administrative overhead. 20. Answer: A. An organization should consider implementing controls that ensure all portable devices and removable media are encrypted and accounted for. The security policy should require encryption of all data on portable computers and removable storage. Answer B is incorrect because passwords can easily be cracked, especially if there are not proper password policies in place. Answers C and D are incorrect because employee dismissal and employee remediation will do nothing to protect the data if the device is lost. 21. Answer: C, D. A good antivirus solution is essential to protect the integrity of stored data and to prevent malware from spreading to other parts of the network through the storage system. Additional considerations when dealing with large data repositories should include encryption, authentication devices, secure logging, and key management. Answer A is incorrect because it describes a solution for small storage devices. Answer B is incorrect because passwords can easily be cracked, especially if there are not proper password policies in place. 22. Answer: A, B, C, D. A good antivirus solution is essential to protect the integrity of stored data and to prevent malware from spreading to other parts of the network through the storage system. Additional considerations when dealing with large data repositories should include encryption, authentication devices, secure logging, and key management. 23. Answer: C. Some security appliances sit on a SAN or are connected to NAS to protect data considered “at rest.” Answers A and B are incorrect because they are handheld devices and the data changes. Answer D is incorrect. The BIOS is not considered data at rest. 24. Answer: B. Many BIOS manufacturers build in backdoor passwords. Often, they are simple, such as the name of the BIOS manufacturer. In addition, lists of known backdoor passwords are available on the Internet. Because this method of access has become so public, BIOS manufacturers have become more secretive about any backdoors they may now use. Answer A is incorrect because secure BIOS passwords can be made. Answer C is incorrect because the BIOS does not lock the user out after too many bad passwords. This is a condition set with Group Policy. Answer D is incorrect because too many incorrect BIOS password guesses will not destroy it, but improperly flashing it will. 25. Answer: D. If an attacker gains physical access to the machine and changes the boot order, there is no way to protect the system from compromise. An attacker could boot the system from a device that contains software to change the administrative password, extract password information for a later attack, directly access data on the hard disk, or install a backdoor or Trojan. Answers A and B are incorrect; a DoS attack and virus do not require physical access to the machine. Answer C is incorrect because the MBR is concerned with operating system boot order, not BIOS boot order.
266
Chapter 4
26. Answer: C. The internal user has the greatest access to data and the opportunity to either deliberately sabotage it or accidentally delete it. Although partnering vendors, contract workers, and external users have the opportunity to damage data, they do not have enough permission to accidentally delete data, nor do they have access to data as readily as internal users. Based on this information, answers A, B, and D are incorrect. 27. Answer: C. Protection of data in use is considered to be an endpoint solution and the application is run on end-user workstations or servers in the organization. Answer A is incorrect because protection of data in motion is considered to be a network solution, and either a hardware or software solution is installed near the network perimeter to monitor for and flag policy violations. Answer B is incorrect because protection of data at rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored. Answer D is incorrect because there is no such data state. 28. Answer: D. TPM refers to a secure crypto-processor used to authenticate hardware devices such as PC or laptop. The idea behind TPM is to allow any encryption-enabled application to take advantage of the chip. Answer A is incorrect because Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Answer B is incorrect because full-disk encryption involves encrypting the operating system partition on a computer and then booting and running with the system drive encrypted at all times. Answer C is incorrect because in file or folder level encryption, individual files or directories are encrypted by the file system itself. 29. Answer: B. One of the biggest challenges associated with database encryption is key management. Answer A is incorrect because multi-tenancy is a security issue related to cloud-computing implementations. Answer C is incorrect because lack of management software and weak authentication components are associated with hardware hard drive encryption. Answer D is incorrect because cost and platform support are concerns with smart phone encryption products. 30. Answer: A. The PKCS#11 standard provides for access to public and private asymmetric keys, symmetric keys, X.509 certificates and application data. PKCS#11 is the de facto standard for platform applications, although some newer HSMs include more advanced authentication and authorization models. Answer B is incorrect because PKCS #7 Cryptographic Message Syntax Standard describes the syntax for data streams, such as digital signatures that may have cryptography applied to them. Answer C is incorrect because AES is most commonly found on USB drive encryption. Answer D is incorrect because EFS is the encrypting file system available in newer Microsoft operating systems. 31. Answer: A. In a SaaS environment, application level encryption is preferred because the data is encrypted by the application before being stored in the database or file system. The advantage is that it protects the data from the user all the way to storage. Answer B is incorrect because in cloud implementations, data should be encrypted at the application layer, rather than within a database, due to the complexity involved, and media encryption is managed at the storage layer. Answer C is incorrect because
Domain 4.0: Application, Data, and Host Security
267
encryption of a complete virtual machine on IaaS could be considered media encryption. Answer D is incorrect because a HSM solution is mainly found in private datacenters that manage and offload cryptography with dedicated hardware appliances. 32. Answer: A. Protection of data in motion is considered to be a network solution, and either a hardware or software solution is installed near the network perimeter to monitor for and flag policy violations. Answer B is incorrect because protection of data at rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored. Answer C is incorrect because protection of data in use is considered to be an endpoint solution, and the application is run on enduser workstations or servers in the organization. Answer D is incorrect because there is no such data state. 33. Answer: B. Protection of data at rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored. Answer A is incorrect because protection of data in motion is considered to be a network solution, and either a hardware or software solution is installed near the network perimeter to monitor for and flag policy violations. Answer C is incorrect because protection of data in use is considered to be an endpoint solution, and the application is run on end-user workstations or servers in the organization. Answer D is incorrect because there is no such data state. 34. Answer: A. Full disk encryption is most useful when you’re dealing with a machine that is being taken on the road, such as those used by traveling executives, sales managers, or insurance agents. Answer B is incorrect because in file or folder level encryption, individual files or directories are encrypted by the file system itself. Answer C is incorrect because media encryption is used for USB flash drives, iPods, and other portable storage devices. Answer D is incorrect because application level encryption will not protect the data stored on the machine. 35. Answer: B. In file or folder level encryption, individual files or directories are encrypted by the file system itself. Perhaps one of the most common examples of this type of encryption is the encrypting file system (EFS) available in newer Microsoft operating systems. Answer A is incorrect because full disk encryption is most useful when you’re dealing with a machine that is being taken on the road, such as those used by traveling executives, sales managers, or insurance agents. Answer C is incorrect because media encryption is used for USB flash drives, iPods, and other portable storage devices. Answer D is incorrect because application level encryption is used in cloud implementations. 36. Answer: D. In a cloud environment, application level encryption is preferred because the data is encrypted by the application before being stored in the database or file system. The advantage is that it protects the data from the user all the way to storage. Answer A is incorrect because full disk encryption is most useful when you’re dealing with a machine that is being taken on the road, such as those used by traveling executives, sales managers, or insurance agents. Answer B is incorrect because in file or folder level encryption, individual files or directories are encrypted by the file system itself. Answer C is incorrect because media encryption is used for USB flash drives, iPods, and other portable storage devices.
268
Chapter 4
37. Answer: B. Traditionally, HSMs have been used in the banking sector to secure numerous large, bulk transactions. Answer A is incorrect because full disk encryption is most useful when you’re dealing with a machine that is being taken on the road, such as those used by traveling executives, sales managers, or insurance agents. Answer C is incorrect because TPM refers to a secure crypto processor used to authenticate hardware devices, such as PCs or laptops. Answer D is incorrect because in file or folder level encryption, individual files or directories are encrypted by the file system itself. 38. Answer: C. At the most basic level, TPM provides for the secure storage of keys, passwords, and digital certificates, and is hardware-based, typically attached to the circuit board of the system. Answer A is incorrect because full disk encryption is meant to encrypt the entire contents of the drive, including temporary files and memory. Answer B is incorrect because a hardware security module (HSM) can be described as black box combination hardware and software/firmware that is attached or contained inside a computer used to provide cryptographic functions for tamper protection and increased performance. Answer D is incorrect because in file or folder level encryption, individual files or directories are encrypted by the file system itself. 39. Answer: A. The HSM and cloud machines can both live on the same virtual private network, through the use of a virtual private cloud (VPC) environment. This type of solution is mainly found in private datacenters that manage and offload cryptography with dedicated hardware appliances. Answer B is incorrect because traditionally HSMs have been used in the banking sector to secure numerous large, bulk transactions. Answer C is incorrect because TPM refers to a secure crypto processor used to authenticate hardware devices, such as PCs or laptops. Answer D is incorrect because Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. 40. Answer: C. With hardware disk encryption, authentication happens on power up of the drive through either a software pre-boot authentication environment or with a BIOS password. Enhanced firmware and special purpose cryptographic hardware are built in to the hard disks. Answer A is incorrect because TPM refers to a secure crypto processor used to authenticate hardware devices, such as PCs or laptops. Answer B is incorrect because a hardware security module (HSM) can be described as black box combination hardware and software/firmware that is attached or contained inside a computer used to provide cryptographic functions for tamper protection and increased performance. Answer D is incorrect because in file or folder level encryption, individual files or directories are encrypted by the file system itself.
5
CHAPTER FIVE
Domain 5.0: Access Control and Identity Management The concept of security within the network environment includes aspects drawn from all operating systems, application software packages, hardware solutions, and networking configurations present within the network to be secured, and from within any network-sharing connectivity directly or indirectly with the network to be secured. For the Security+ exam, you need to develop the broadest set of skills possible, gaining experience from the most specific to the most general of security concepts. This chapter focuses on access control mechanisms and methods for secure network authentication and physical access. A general knowledge of network terminology will aid in understanding these concepts. As a prospective security professional, you should also take every opportunity you may find to expand your skill base beyond these. The following list identifies the key areas from Domain 5.0 (which counts as 13% of the exam) that you need to master: . Explain the function and purpose of authentication
services . Explain the fundamental concepts and best practices
related to authorization and access control . Implement appropriate security controls when per-
forming account management
270
Chapter 5
✓
Quick Check
Practice Questions Objective 5.1: Explain the function and purpose of authentication services. 1. Which of the following are strengths of Kerberos authentication? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 295
Remote-access connections Time-synchronized connections The use of registered clients The use of registered service keys
2. Over which of the following connection types does CHAP function?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Quick Answer: 293 Detailed Answer: 295
LDAP HTTP FTP PPP
3. Which of the following best describes TACACS+?
❍
A. A symmetric-key authentication protocol used to protect the sending of logon information
❍
B. A remote-access control system providing authentication, authorization, and accounting
❍
C. A centralized authentication and access control for credentials to resources within an enterprise
Quick Answer: 293 Detailed Answer: 295
❍ D. An on-demand authentication used at random intervals within an ongoing data transmission 4. Which of the following best describes RADIUS?
❍
A. A symmetric-key authentication protocol used to protect the sending of logon information
❍
B. A remote-access control system providing authentication, authorization, and accounting
❍
C. A centralized authentication and access control for credentials to resources within an enterprise
❍ D. An on-demand authentication used at random intervals within an ongoing data transmission
Quick Answer: 293 Detailed Answer: 295
Domain 5.0: Access Control and Identity Management
271
✓
Quick Check
5. Which of the following best describes CHAP?
❍
A. A symmetric-key authentication protocol used to protect the sending of logon information
❍
B. A remote-access control system providing authentication, authorization, and accounting
❍
C. A centralized authentication and access control for credentials to resources within an enterprise
Quick Answer: 293 Detailed Answer: 295
❍ D. An on-demand authentication used at random intervals within an ongoing data transmission 6. Which of the following best describes Kerberos?
❍
A. A symmetric-key authentication protocol used to protect the sending of logon information
❍
B. A remote-access control system providing authentication, authorization, and accounting
❍
C. A centralized authentication and access control for credentials to resources within an enterprise
Quick Answer: 293 Detailed Answer: 295
❍ D. An on-demand authentication used at random intervals within an ongoing data transmission 7. Wireless, port-based access control is often paired with which of the following?
❍ ❍
Quick Answer: 293 Detailed Answer: 296
A. Kerberos B. RADIUS
❍ C. TACACS+ ❍ D. CHAP 8. Which of the following type of authentication involves comparison of two values calculated using the message digest (MD5) hashing algorithm?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 296
Kerberos RADIUS TACACS+ CHAP
9. Which of the following should an organization deploy if the use of an asymmetric encryption method is required?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Kerberos TACACS PKI CHAP
Quick Answer: 293 Detailed Answer: 296
272
Chapter 5
✓
Quick Check
10. An organization wants to implement multifactor authentication, which of the following could be used? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Kerberos authentication Anonymous access Biometric authentication
Facial geometry Retinal scan Quick Answer: 293 Detailed Answer: 296
Error ratios Invasiveness Account lockouts Cross-contamination Quick Answer: 293 Detailed Answer: 297
VPN RAS LDAP RADIUS
14. Which of the following technologies functions as a gateway through which the remote user may access local resources?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 296
Iris profile
13. Which of the following technologies provides a mechanism for the creation of a secured tunnel through a public network?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Signature
12. Which of the following are issues associated with the implementation of biometric authentication methods? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 296
Smart cards
11. An organization is looking for a biometric method that identifies an individual by using the colored part of the eye surrounding the pupil. Which of the following solutions should they implement?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
VPN RAS LDAP RADIUS
Quick Answer: 293 Detailed Answer: 297
Domain 5.0: Access Control and Identity Management
273
✓
Quick Check
15. Which of the following technologies allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory?
❍ A. ❍ B. ❍ C. ❍ D.
RAS LDAP RADIUS
LDAP RADIUS Quick Answer: 293 Detailed Answer: 297
RADIUS TACACS+ LDAP RAS Quick Answer: 293 Detailed Answer: 298
161 110 389 162
19. Which of the following best describes the part of a packet that is encrypted by RADIUS?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 297
RAS
18. Which of the following ports would have to be open if the organization wants to implement a solution that includes LDAP?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
VPN
17. Which of the following would be implemented if the organization requires a solution for both authentication and authorization? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 297
VPN
16. In which of the following technologies is a centralized authentication solution managed through a client/server configuration?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
The datagram only The entire packet Only the password Only the header
Quick Answer: 293 Detailed Answer: 298
274
Chapter 5
✓
Quick Check
20. Which of the following protocols does RADIUS use?
❍ A. ❍ B. ❍ C. ❍ D.
TCP FTP SMTP
TCP
Quick Answer: 293 Detailed Answer: 298
UDP FTP SNMP
22. An organization is implementing a technology that uses only CHAP for authentication. Which of the following protocols will be used with CHAP?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 298
UDP
21. Which of the following protocols does TACACS+ use?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Quick Answer: 293 Detailed Answer: 298
FTP PPTP SPAP PPP
23. Which of the following best describes the difference between RADIUS and TACACS?
❍
A. TACACS is an actual Internet standard; RADIUS is not.
❍
B. RADIUS is an encryption protocol; TACACS is an authentication protocol.
Quick Answer: 293 Detailed Answer: 298
❍ C. RADIUS is an actual Internet standard; TACACS is not. ❍ D. RADIUS is an authentication protocol; TACACS is an encryption protocol. 24. To which of the following are biometric devices susceptible? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
False acceptance False positives False negatives False rejection
Quick Answer: 293 Detailed Answer: 298
Domain 5.0: Access Control and Identity Management
275
✓
Quick Check
25. Which of the following best describes false rejection?
❍
A. The system allows an intrusive action to pass as normal.
Quick Answer: 293 Detailed Answer: 298
❍ B. Allows access to an unauthorized user. ❍ C. Denies access to an authorized user. ❍ D. The system deems a legitimate action a possible intrusion.
Objective 5.2: Explain the fundamental concepts and best practices related to authorization and access control. 1. Which of the following security access control methods is best equated to the phrase “less is more”?
❍ A. ❍ B. ❍ C. ❍ D.
Least privilege Job rotation Account expiration Quick Answer: 293 Detailed Answer: 299
Implicit deny Least privilege Job rotation Account expiration
3. Which of the following security access control methods is best described as resource availability restricted to only those logons explicitly granted access?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 299
Implicit deny
2. Which of the following security access control methods is best equated to the principal behind Microsoft’s User Account Control (UAC) technology?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Implicit deny Least privilege Job rotation Account expiration
Quick Answer: 293 Detailed Answer: 299
276
Chapter 5
✓
Quick Check
4. Which of the following security access control methods is best described as the separation of logons as well as the separation of roles?
❍ A. ❍ B. ❍ C. ❍ D.
Principle of least privilege Separation of duties Rotation of job duties
Aging Expiration Quick Answer: 293 Detailed Answer: 300
Implicit deny Least privilege Job rotation Account expiration Quick Answer: 293 Detailed Answer: 300
Implicit deny Least privilege Job rotation Account expiration
8. An organization is concerned about securing resource availability. Which of the following security access control methods would best mitigate this risk?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 300
Purging
7. An organization is concerned about the proper level of access. Which of the following security access control methods would best mitigate this risk?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Rotation
6. Which of the following security access control methods is best described as the practice of revolving administrative users between roles?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 299
Mandatory vacations
5. Which of the following security access control methods is best described as the practice of terminating passwords on a regular basis?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Implicit deny Least privilege Job rotation Account expiration
Quick Answer: 293 Detailed Answer: 300
Domain 5.0: Access Control and Identity Management
277
✓
Quick Check
9. An organization is concerned about the fact that the programmers also test the software they are developing. Which of the following security access control methods would best mitigate this risk?
❍ A. ❍ B. ❍ C. ❍ D.
Principle of least privilege Separation of duties Rotation of job duties
Job rotation Account expiration Quick Answer: 293 Detailed Answer: 301
Implicit deny Least privilege Job rotation Account expiration Quick Answer: 293 Detailed Answer: 301
Segregation of duties Separation of accounts Separation of roles Segregation of resources
13. Which of the following best describes the control within the Microsoft environment that allows lesser accounts to perform privileged processes?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 301
Least privilege
12. Which of the following best describes the security access control method that protects the network by ensuring that an inadvertent malware execution during normal daily operations cannot then attack the network with full administrative privileges?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Implicit deny
11. An organization is concerned about software development contractors having access to network resources after the contracted work has been completed. Which of the following security access control methods would best mitigate this risk?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 301
Mandatory vacations
10. An organization is concerned about fraudulent activity. Which of the following security access control methods would best mitigate this risk?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
“Run as” option “Send to” option “Gpresult” command “Run” command
Quick Answer: 293 Detailed Answer: 302
278
Chapter 5
✓
Quick Check
14. Which of the following best describes the protection mechanism of using the access control practice to expire passwords on a regular basis?
❍ A. ❍ B. ❍ C. ❍ D.
Null session attacks ARP poisoning attacks Brute-force attacks
Separation of duties Account expiration Quick Answer: 293 Detailed Answer: 302
Something you touch Something you have Something you know Something you are Quick Answer: 293 Detailed Answer: 302
Multifactor authentication Single-factor authentication Mutual authentication On-demand authentication
18. Which of the following best describes the type of authentication provided when the client and server verify that the computer they are communicating with is the proper system?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 302
Principle of least privilege
17. Which of the following best describes the type of authentication provided by using a logon ID and password?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Implicit deny
16. Which of the following best describe the general forms that constitute authentication? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 302
Spoofing attacks
15. Which of the following basic access control methods would be violated when an employee is given roles that include security management procedures and compliance audit procedures?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Multifactor authentication Single-factor authentication Mutual authentication On-demand authentication
Quick Answer: 293 Detailed Answer: 302
Domain 5.0: Access Control and Identity Management
279
✓
Quick Check
19. Which of the following best describes the type of authentication provided within an ongoing data transmission?
❍ A. ❍ B. ❍ C. ❍ D.
Single-factor authentication Mutual authentication On-demand authentication
Mutual authentication On-demand authentication Quick Answer: 293 Detailed Answer: 303
Authorization Authentication Identification Validation Quick Answer: 293 Detailed Answer: 303
Lost tokens False positives Weak encryption Easily guessed passwords
23. Which of the following authentication methods would most likely be used for access to a library kiosk?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 303
Single-factor authentication
22. Which of the following is one of the most widespread examples of the shortcomings of an authentication system?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Multifactor authentication
21. Which of the following best describes the process of determining the identity of the account attempting to access a resource?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 303
Multifactor authentication
20. Which of the following best describes the type of authentication provided by using fingerprint scanning and a password?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
A logon identifier and password Anonymous access and password Biometric keys and security token Account logon and security token
Quick Answer: 293 Detailed Answer: 303
280
Chapter 5
✓
Quick Check
24. Which of the following authentication methods would most likely be used for access to a governmental financial network?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 304
A logon identifier and password Anonymous access and password Biometric keys and security token Account logon and security token
25. Which of the following authentication methods would most likely be used for access to an airport kiosk?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Quick Answer: 293 Detailed Answer: 304
A security token Anonymous access Biometric keys Account logon
26. Which of the following is the correct sequence when a user requests access to a resource?
❍
A. Authentication occurs first and then access is determined.
❍
B. Access rights are determined by authentication method.
❍
C. Authentication and access control occur at the same time.
Quick Answer: 293 Detailed Answer: 304
❍ D. Access must be granted first, and then authentication occurs. 27. Which of the following most accurately describes authentication?
❍ A. ❍ B. ❍ C. ❍ D.
The presentation of a unique identity
Detailed Answer: 304
A unique identity with a security principal The presentation of credentials A set of resources available
28. Which of the following are advantages of implementing a single sign-on solution? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Reduced costs Reduced threats Reduced user support Reduced authentication complexity
Quick Answer: 293 Detailed Answer: 304
Domain 5.0: Access Control and Identity Management
281
✓
Quick Check
29. Which of the following authentication methods would most likely be used for access to a corporate network by telecommuters?
❍ A. ❍ B. ❍ C. ❍ D.
Anonymous access and password Biometric keys and security token Account logon and security token
One account granting access to all services
Anonymous login granting access to all services Quick Answer: 293 Detailed Answer: 305
Mandatory access control Discretionary access control Role-based access control Rule-based access control Quick Answer: 293 Detailed Answer: 305
Mandatory access control Discretionary access control Role-based access control Rule-based access control
33. Which of the following access control methods commonly involves testing against an access control list that details systems and accounts with access rights?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 305
Administrative login granting access to all services
32. Which of the following access control methods involves the explicit specification of access rights for accounts with regard to each particular resource?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Separate accounts granting access to each service
31. Which of the following access control methods involves the assignment of labels to resources and accounts?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 304
A logon identifier and password
30. Which of the following most accurately describes single sign-on?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Mandatory access control Discretionary access control Role-based access control Rule-based access control
Quick Answer: 293 Detailed Answer: 305
282
Chapter 5
✓
Quick Check
34. Which of the following access control methods commonly involves access rights that may vary by account or by time of day?
❍ A. ❍ B. ❍ C. ❍ D.
Discretionary access control Role-based access control Rule-based access control
Detailed Answer: 306
Discretionary access control Role-based access control Rule-based access control Quick Answer: 293 Detailed Answer: 306
Mandatory access control Discretionary access control Role-based access control Rule-based access control
37. The network administrator is responsible for selecting the access control method that will be used for a new kiosk system. Organization members want to have full access to information about all categories of information, but visitors should have access only to general items about the organization. Which forms of access control are most appropriate to this requirement? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Mandatory access control
36. Which of the following access control methods would involve assignment of rights to groups for inheritance by group member account?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 306
Mandatory access control
35. Which of the following access control methods would most likely be used within governmental systems?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Quick Answer: 293 Detailed Answer: 306
Mandatory access control Discretionary access control Role-based access control Rule-based access control
38. The network administrator is responsible for selecting the access control method that will be used for a new 24-hour employee cafeteria. Members of management must always be granted access, whereas other staff members should be granted access
Quick Answer: 293 Detailed Answer: 306
Domain 5.0: Access Control and Identity Management
283
✓
Quick Check
only during their assigned lunch hours. Visitors should be allowed access during normal business hours only. What form of access control is best for this scenario?
❍ A. ❍ B. ❍ C. ❍ D.
Mandatory access control Discretionary access control Role-based access control Rule-based access control
39. According to the TCSEC specification, which of the following are divisions of access control? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Verified Logical Physical
Detailed Answer: 307
Mandatory Verified Discretionary Quick Answer: 294 Detailed Answer: 307
Rule-based access model Group-based access model Role-based access model User-based security model
42. The organization is selecting an access control method where the objective is to assign strict permissions where, if the labels on the account and resource do not match, the resource remains unavailable. Which form of access control is most appropriate to meet this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
Minimal
41. The organization is selecting an access control method where the objective is to assign permissions based on forms of conditional testing. Which form of access control is most appropriate to meet this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 307
Minimal
40. According to the TCSEC specification, which of the following is the highest level of access?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 293
Mandatory access control Discretionary access control Role-based access control Rule-based access control
Quick Answer: 294 Detailed Answer: 307
284
Chapter 5
✓
Quick Check
43. The organization is selecting an access control method in which the subject has complete control over the objects that it owns. Which form of access control is most appropriate to meet this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Discretionary access control Role-based access control Rule-based access control Quick Answer: 294 Detailed Answer: 308
Mandatory access control Discretionary access control Role-based access control Rule-based access control
45. The organization is selecting an access control method of access control where the objective is to provide a great level of scalability within its large enterprise scenarios. Which form of access control is most appropriate to meet this requirement?
❍ ❍ ❍
Detailed Answer: 307
Mandatory access control
44. In which of the following forms of access control would access be granted based on the categorical assignment such as classified, secret, or top secret be found?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
Quick Answer: 294 Detailed Answer: 308
A. Rule-based access model B. Group-based access model C. Role-based access model
❍ D. User-based security model 46. Which of the following best describes the type of authentication with a smart card that contains details of your iris coloring?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 308
What you have and what you do. What you have and what you are. What you are and what you know. What you do and what you are.
47. Which of the following authentication methods is employed by U.S. federal governmental employees and contractors under HSPD 12?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
Smart card CAC PIV SecurID
Quick Answer: 294 Detailed Answer: 308
Domain 5.0: Access Control and Identity Management
285
✓
Quick Check
48. Which of the following authentication methods is used by U.S. military, military reserve, and military contractors?
❍ A. ❍ B. ❍ C. ❍ D.
CAC PIV SecurID Quick Answer: 294 Detailed Answer: 308
Authorization, Authentication, Accounting Identification, Authentication, Access Control Identification, Authorization, Access Control Authentication, Authorization, Access Control
50. An organization wants to implement a biometric measure that scans the back of the eye. Which of the following methods would the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 308
Smart card
49. Which of the following is the proper order of operations during the Access Control process?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
Quick Answer: 294 Detailed Answer: 309
Retina Iris Signature Facial recognition
Objective 5.3: Implement appropriate security controls when performing account management. 1. Which of the following best describes an access control list?
❍ ❍ ❍
A. A combination of methods to limit access to data
Quick Answer: 294 Detailed Answer: 309
B. Underlying data that defines access permissions C. A method to set consistent common security standards
❍ D. A unique value that identifies a security principal 2. Which of the following best describes logical access control?
❍ A. ❍ B. ❍ C. ❍ D.
A combination of methods to limit access to data Underlying data that defines access permissions A method to set consistent common security standards A unique value that identifies a security principal
Quick Answer: 294 Detailed Answer: 309
286
Chapter 5
✓
Quick Check
3. Which of the following best describes a security identifier?
❍ A. ❍ B. ❍ C. ❍ D.
A combination of methods to limit access to data
Detailed Answer: 310
Underlying data that defines access permissions A method to set consistent common security standards A unique value that identifies a security principal
4. Which of the following best describes group policy?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
A combination of methods to limit access to data
Quick Answer: 294 Detailed Answer: 310
Underlying data that defines access permissions A method to set consistent common security standards A unique value that identifies a security principal
5. Which of the following best describes a decentralized security management model?
❍
A. Less secure but more scalable than a centralized model
❍ ❍
B. More secure but less scalable than a centralized model
Quick Answer: 294 Detailed Answer: 310
C. More secure and more scalable than a centralized model
❍ D. Less secure and less scalable than a centralized model 6. Which of the following best describes a centralized security management model?
❍
A. Less secure but more scalable than a decentralized model
❍
B. More secure but less scalable than a decentralized model
❍
C. More secure and more scalable than a decentralized model
Quick Answer: 294 Detailed Answer: 310
❍ D. Less secure and less scalable than a decentralized model 7. Which of the following best describes the general order of Group Policy object application?
❍ A. ❍ B. ❍ C. ❍ D.
Group policies get applied from the top down. Group policies get applied based on complexity. Group policies get applied based on alphabetic order. Group policies get applied from the bottom up.
Quick Answer: 294 Detailed Answer: 311
Domain 5.0: Access Control and Identity Management
287
✓
Quick Check
8. Which of the following would conform to best practices with regard to password policy?
❍
A. At least four characters, uppercase and lowercase letters, numbers, and special characters
❍
B. At least six characters, lowercase letters, numbers, and special characters
❍
C. At least eight characters, uppercase and lowercase letters, numbers, and special characters
Quick Answer: 294 Detailed Answer: 311
❍ D. At least twelve characters, uppercase and lowercase letters, numbers, and special characters 9. Which of the following is the correct number of domain password policies that can be set for a Windows 2008 domain?
❍ ❍ ❍
Quick Answer: 294 Detailed Answer: 311
A. One B. Three C. Ten
❍ D. Unlimited 10. Which of the following are best practices when formulating password account policies? (Select all correct answers.)
❍
A. Set the server to not allow users to reuse the same password.
❍ ❍
B. Require password complexity for all accounts.
Quick Answer: 294 Detailed Answer: 311
C. Lock user accounts out after two failed logon attempts.
❍ D. Require users to change passwords every 60 to 90 days. 11. An organization is implementing a domain policy where the employees are primarily shift workers. Which of the following would be the best solution to implement?
❍ A. ❍ B. ❍ C. ❍ D.
Mandatory password changes Increased account lockout time Time-of-day restrictions Reduced failed logon attempts
Quick Answer: 294 Detailed Answer: 311
288
Chapter 5
✓
Quick Check
12. In Microsoft operating systems, which of the following best describes an access control entry?
❍ ❍
Quick Answer: 294 Detailed Answer: 311
A. A combination of methods to limit access to data B. A method to set consistent common security standards
❍ C. A unique value that identifies a security principal ❍ D. A descriptor that contain the name of a user, group, or role 13. An organization is implementing a method of control where the requirements are that employees at different locations are responsible for managing privileges within their administrative areas. Which of the following security management models will they implement?
❍ ❍
Quick Answer: 294 Detailed Answer: 312
A. User based B. Centralized
❍ C. Decentralized ❍ D. Group based 14. An organization is implementing a method of control where the requirements are that employees at one location are responsible for managing privileges for the entire organization. Which of the following security management models can they implement? (Select all correct answers.)
❍
Quick Answer: 294 Detailed Answer: 312
A. User based
❍ B. Centralized ❍ C. Decentralized ❍ D. Group based 15. An administrator is troubleshooting a group policy issue on a computer that is a member of a workgroup rather than a domain member. Which of the following would be the mostly likely reason the policy is not working?
❍ A. ❍ B. ❍ C. ❍ D.
Only the local policy is applied. The policy is set to no override. The Block Inheritance setting has been checked. The policy is marked for No Override.
Quick Answer: 294 Detailed Answer: 312
Domain 5.0: Access Control and Identity Management
289
✓
Quick Check
16. GPOs can be associated with or linked to which of the following? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Domains Sites Forests
The conflict will cause neither policy to be applied. The policy higher up in the list will take preference. Quick Answer: 294 Detailed Answer: 312
Account expiration Account lockout Time-of-day restrictions Software restriction policies Quick Answer: 294 Detailed Answer: 312
Account expiration Account lockout Time-of-day restrictions Software restriction policies
20. An organization is implementing a domain policy where the primary concern is unauthorized attempted access via active user accounts. Which of the following would be the best solution to implement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 312
The GPO that was created first takes preference.
19. An organization is implementing a domain policy where the employees are temporary and contract workers. Which of the following is the best solution to implement?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
The policy lower in the list takes preference.
18. Which of the following should be implemented if the organization wants to be sure that all users are off of the network each evening when the backup is run?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 312
Organizational units
17. Which of the following would be the most likely result of a GPO conflict?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
Account expiration Account lockout Time-of-day restrictions Software restriction policies
Quick Answer: 294 Detailed Answer: 313
290
Chapter 5
✓
Quick Check
21. Which of the following information is held in a user account? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Password Name Devices
Internal users External users Quick Answer: 294 Detailed Answer: 313
Mail Distribution Security Administrator Quick Answer: 294 Detailed Answer: 313
Local Global Domain Universal
25. Which of the following access control methods would most likely be used to manage the access permissions in a peer-to-peer network or a workgroup?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 313
Contract workers
24. In a Microsoft Windows 2008 network, in which of the following groups could a user be placed? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
Partnering vendors
23. To which of the following types of groups would a user be assigned for applications such as Microsoft Exchange?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 313
Permissions
22. Which of the following groups has the greatest access to data and the opportunity to either deliberately sabotage it or accidentally delete it?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
Rule-based access model Group-based access model Role-based access model User-based security model
Quick Answer: 294 Detailed Answer: 313
Domain 5.0: Access Control and Identity Management
291
✓
Quick Check
26. Which of the following access control methods would be used to manage the access permissions on a large number of user accounts?
❍ A. ❍ B. ❍ C. ❍ D.
Group-based access model Role-based access model User-based security model
Security Administrator Quick Answer: 294 Detailed Answer: 314
Segregates users Grants specific privileges Segregates resources Grants logon rights Quick Answer: 294 Detailed Answer: 314
Rule-based access model Group-based access model Role-based access model User-based security model
30. The organization is selecting an access control method where the objective is to assign permissions based on ease of administration. Which form of access control is most appropriate to meet this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 314
Distribution
29. The organization is selecting an access control method where the objective is to assign permissions uniquely to each account. Which form of access control is most appropriate to meet this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
Mail
28. Which of the following best describe the user rights assignment? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 314
Rule-based access model
27. To which of the following types of groups would a user be assigned for access to information such as a home directory?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 294
Rule-based access model Group-based access model Role-based access model User-based security model
Quick Answer: 294 Detailed Answer: 314
292
Chapter 5
✓
Quick Check
31. Which of the following most accurately describes user rights and user permissions? (Select all correct answers.)
❍
A. Logon rights control who and how users log on to the computer.
❍
B. Rights allow users to perform system tasks, such as the right to back up files.
❍
C. Permissions control who and how users log on to the computer.
Quick Answer: 294 Detailed Answer: 315
❍ D. Permissions allow users to perform system tasks such as the right to back up files. 32. If an administrator gives a user full access in one group and no access in another group, which of the following is the end result?
❍ ❍ ❍
Quick Answer: 294 Detailed Answer: 315
A. Full access B. No access C. Read access
❍ D. Write access 33. If an administrator gives a user write access in one group and read access in another group, which of the following is the highest level of access the user is granted?
❍ ❍ ❍
Quick Answer: 294 Detailed Answer: 315
A. Full access B. No access C. Read access
❍ D. Write access 34. Which of the following is a best practice when applying permissions to accounts in a domain environment?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 315
Apply to group accounts Apply to individual accounts Apply to local accounts Apply to universal accounts
35. Which of the following is a best practice when using the Administrator account?
❍
Quick Answer: 294
A. Used for all functions provided the user has administrative privileges
❍ B. Used only for the purpose of logging in to the server ❍ C. Used only for the purpose of administering the server ❍ D. Never used because it is a sensitive account
Quick Answer: 294 Detailed Answer: 315
Domain 5.0: Access Control and Identity Management
Quick-Check Answer Key Objective 5.1: Explain the function and purpose of authentication services. 1. B, C, D
10. A, B, D
18. C
2. D
11. B
19. C
3. B
12. A, B
20. B
4. C
13. A
21. A
5. D
14. B
22. D
6. A
15. C
23. C
7. B
16. D
24. A, D
8. D
17. A, B
25. C
9. C
Objective 5.2: Explain the fundamental concepts and best practices related to authorization and access control. 1. B
14. D
27. B
2. B
15. C
28. C, D
3. A
16. B, C, D
29. D
4. C
17. B
30. A
5. D
18. C
31. A
6. C
19. D
32. B
7. B
20. A
33. D
8. A
21. B
34. D
9. C
22. D
35. A
10. C
23. A
36. C
11. D
24. C
37. A, C
12. B
25. B
38. D
13. A
26. A
39. A, B
293
294
Chapter 5
40. C
44. A
48. B
41. A
45. C
49. D
42. A
46. B
50. A
43. B
47. C
Objective 5.3: Implement appropriate security controls when performing account management. 1. B
13. C
25. D
2. A
14. B, D
26. B
3. D
15. A
27. C
4. C
16. A, B, C
28. B, D
5. A
17. D
29. D
6. B
18. C
30. B
7. D
19. A
31. A, D
8. C
20. B
32. B
9. A
21. A, B, C
33. D
10. A, B, D
22. C
34. A
11. C
23. B
35. C
12. D
24. A, B, C, D
Domain 5.0: Access Control and Identity Management
295
Answers and Explanations Objective 5.1: Explain the function and purpose of authentication services. 1. Answer: B, C, D. The strengths of Kerberos authentication come from its timesynchronized connections and the use of registered client and service keys within the Key Distribution Center (KDC). The Key Distribution Center (KDC) is a trusted third party that consists of two logically separate parts: an Authentication Server (AS) and a Ticket-Granting Server (TGS). Answer A is incorrect because Kerberos is not used with remote-access connections. 2. Answer: D. Challenge-Handshake Authentication Protocol (CHAP) functions over Point-to-Point Protocol (PPP) connections. CHAP can be used to provide on-demand authentication within an ongoing data transmission. Based on the previous information, answers A, B, and C are incorrect. 3. Answer: B. TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer A is incorrect; it describes Kerberos. Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer C is incorrect; it describes RADIUS. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. Answer D is incorrect; it describes CHAP. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission. 4. Answer: C. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise Answer A is incorrect; it describes Kerberos. Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; it describes TACACS+. TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer D is incorrect; it describes CHAP. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission. 5. Answer: D. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission. Answer A is incorrect; it describes Kerberos. Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; it describes TACACS+. TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer C is incorrect; it describes RADIUS. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. 6. Answer: A. Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; it describes TACACS+. TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer C is incorrect; it describes
296
Chapter 5
RADIUS. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. Answer D is incorrect; it describes CHAP. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission. 7. Answer: B. The IEEE 802.1x standard for wireless port-based access control can be used to provide authentication as well as access control, but is often paired with a RADIUS server to facilitate enterprisewide access management. Answer A is incorrect; Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer C is incorrect; TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer D is incorrect; it describes CHAP. The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission. 8. Answer: D. The Challenge-Handshake Authentication Protocol uses two compared values created using the MD5 hashing algorithm. Answer A is incorrect; Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; TACACS+ is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer C is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. 9. Answer: C. A Public Key Infrastructure (PKI) solution involves an asymmetric encryption scheme in which a public key is used to encrypt data and a separate private key is used to decrypt the data. Answer A is incorrect; Kerberos is a symmetric-key authentication protocol used to protect sending actual logon information across an unsecured network. Answer B is incorrect; TACACS is a remote-access control system providing authentication, authorization, and accounting (AAA). Answer D is incorrect; the Challenge-Handshake Authentication Protocol uses two compared values created using the MD5 hashing algorithm. 10. Answer: A, B, D. Any combination of authentication methods may be used in a multifactor solution. Multifactor authentication just refers to solutions including more than a single type of authentication. Answer C is incorrect. Anonymous access is the weakest form of authentication and is not combined with other authentication methods. 11. Answer: B. Iris profile biometric devices identify an individual by using the colored part of the eye that surrounds the pupil. Answer A is incorrect because signature matches an individual’s electronic signature to a database by comparing electronic signals created by the speed and manner in which a document is signed. Answer C is incorrect because facial geometry identifies a user based on the profile and characteristics of the user’s face. Answer D is incorrect because a retina scan identifies an individual by using the blood-vessel pattern at the back of the eyeball. 12. Answer: A, B. When using biometrics, remember that each method has its own degree of error ratios, and some methods may seem invasive to the users and may not be accepted gracefully. Answer C is incorrect because account lockouts have to do with passwords. Answer D is incorrect because cross-contamination is a physical concern not associated with biometric solutions.
Domain 5.0: Access Control and Identity Management
297
13. Answer: A. Virtual private network (VPN) connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. Answer B is incorrect because a remote-access service (RAS) server functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Answer C is incorrect because the Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. Answer D is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. 14. Answer: B. Client systems equipped with a modem can connect using normal dial-up acoustic connections to a properly equipped remote-access service (RAS) server, which functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Answer A is incorrect; virtual private network (VPN) connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. Answer C is incorrect because the Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. Answer D is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. 15. Answer: C. The Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. Answer A is incorrect; virtual private network (VPN) connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. Answer B is incorrect because a remote-access service (RAS) server functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Answer D is incorrect; RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. 16. Answer: D. RADIUS provides centralized authentication and access control for credentials to resources within an extended enterprise. Answer A is incorrect; virtual private network (VPN) connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. Answer B is incorrect because a remote-access service (RAS) server functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Answer C is incorrect because the Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. 17. Answer: A, B. Modern solutions provide for both user authentication and authorization, including the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) protocols. Answer C is incorrect because the Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. Answer D is incorrect because remote-access service (RAS) functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet.
298
Chapter 5
18. Answer: C. Remember that LDAP is a TCP/IP-based protocol connecting by default to TCP port 389. Answers A and D are incorrect; ports 161 and 162 are used by SNMP. Answer B is incorrect because port 110 is used by POP3 for email. 19. Answer: C. RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Based on this information, answers A, B, and D are incorrect. 20. Answer: B. RADIUS, which was developed originally for modem-based connectivity access control uses User Datagram Protocol (UDP) transport. Answer A is incorrect; RADIUS uses UDP, which is connectionless oriented, whereas TCP is a connectionoriented protocol. Answer C is incorrect. File Transfer Protocol is not connected with the use of RADIUS. Answer D is incorrect. SMTP is used for email communication. 21. Answer: A. TACACS+ is similar to Remote Authentication Dial-In User Service (RADIUS), but relies on Transmission Control Protocol (TCP) rather than RADIUS’s User Datagram Protocol (UDP) transport developed originally for modem-based connectivity access control. Therefore, answer B is incorrect. Answer C is incorrect. File Transfer Protocol is not connected with the use of TACACS+. Answer D is incorrect. SMTP is used for email communication. 22. Answer: D. CHAP functions over Point-to-Point Protocol (PPP) connections. PPP is a protocol for communicating between two points using a serial interface and provides service at the second layer of the OSI model: the data link layer. PPP can handle both synchronous and asynchronous connections. Answer A is incorrect. File Transfer Protocol is not connected with the use of CHAP. Answer B is incorrect; PPTP is not used as a connection protocol for CHAP. Answer C is incorrect; Shiva Password Authentication Protocol (SPAP) was designed by Shiva and is an older, two-way reversible encryption protocol that encrypts the password data sent between client and server. 23. Answer: C. TACACS is a client/server protocol that provides the same functionality as RADIUS, except that RADIUS is an actual Internet standard; therefore, answer A is incorrect. Answers B and D are incorrect because both RADIUS and TACACS are authentication protocols. 24. Answer: A, D. Biometric devices are susceptible to false acceptance and false rejection rates. The false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt. In other words, it will allow access to an unauthorized user. The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. In false rejection, the system fails to recognize an authorized person and rejects that person as unauthorized. Answers B and C are incorrect because false positives and negatives are associated with intrusion detection systems. 25. Answer: C. Biometric devices are susceptible to false acceptance and false rejection rates. The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. In false rejection, the system fails to recognize an authorized person and rejects that person as unauthorized. Answer A is incorrect because it describes false negative. The false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt. In other words, it will allow access to an unauthorized user. Therefore, answer B is incorrect. Answer D is incorrect because it describes a false positive.
Domain 5.0: Access Control and Identity Management
299
Objective 5.2: Explain the fundamental concepts and best practices related to authorization and access control. 1. Answer: B. The phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer A is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time. 2. Answer: B. The User Account Control (UAC) technology used by the Microsoft operating system ensures that software applications cannot perform privileged access without additional authorization from the user. Within the Microsoft environment, lesser accounts may perform privileged processes using the “run as” option to specify the explicit use of a privileged account. Answer A is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time. 3. Answer: A. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role and also ensures that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force passwordguessing attacks, and to expire accounts not used after a certain period of time. 4. Answer: C. Separation of duties is an access control practice involving both the separation of logons, such as day-to-day and admin accounts assigned to the same network admin, as well as the separation of roles, such as security assignment and compliance audit procedures. Answer A is incorrect. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. This is also the reason that users with administrative access may be required to take vacations, allowing other administrators to
300
Chapter 5
review standard operating practices in place. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. 5. Answer: D. Expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time. Answer A is incorrect because rotation refers to alternating administrative users between roles to improve awareness of the mandates of each role and ensure that fraudulent activity cannot be sustained. Answer B is incorrect because purging is an action used to get rid of records. Answer C is incorrect because aging is associated with the length of time a password can be used. 6. Answer: C. Job rotation is an extension of the separation of duties. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. Answer A is incorrect. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force passwordguessing attacks, and to expire accounts not used after a certain period of time. 7. Answer: B. The phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer A is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time. 8. Answer: A. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when access is not explicitly denied. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles improves awareness of the mandates of each role and ensures that fraudulent activity cannot be sustained. Answer D is incorrect; expiration is an access control practice used for allowing passwords to expire on all accounts on a regular basis. This
Domain 5.0: Access Control and Identity Management
301
includes accounts not used after a certain period of time, such as contractor accounts. It is also used for protecting against brute-force password-guessing attacks. 9. Answer: C. Separation of duties is an access control practice involving both the separation of logons, such as day-to-day and admin accounts assigned to the same network admin, as well as the separation of roles, such as security assignment and compliance audit procedures. Answer A is incorrect. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. This is also the reason that users with administrative access may be required to take vacations, allowing other administrators to review standard operating practices in place. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. 10. Answer: C. Job rotation is an extension of the separation of duties. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. Answer A is incorrect. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force passwordguessing attacks, and to expire accounts not used after a certain period of time. 11. Answer: D. Expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force password-guessing attacks, and to expire accounts not used after a certain period of time. Unused accounts often retain weak passwords used in initial assignment and may be more susceptible to passwordguessing routines. Answer A is incorrect. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer C is incorrect because job rotation is an extension of the separation of duties. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. 12. Answer: B. Separation of account functionality protects the network by ensuring that an inadvertent malware execution during normal daily operations cannot then attack the network with full administrative privileges. Answer A is incorrect because segregation of duties is an access control practice involving both the separation of logons, such as day-to-day and admin accounts assigned to the same network admin, and the separation of roles. Answer C is incorrect. Separation of role duties ensures that validation is maintained apart from execution, protecting the network against fraudulent
302
Chapter 5
actions or incomplete execution of security mandates. Answer D is incorrect. Segregation of resources would be a separate subnet or a segment separated by a firewall. 13. Answer: A. The User Account Control (UAC) technology used by the Microsoft operating systems ensures that software applications cannot perform privileged access without additional authorization from the user. Within the Microsoft environment, lesser accounts may perform privileged processes using the “run as” option to specify the explicit use of a privileged account. Answer B is incorrect because the “send to” option is a right-click function used to export files. Answer C is incorrect. Gpresult is used to the see the resultant set of group policies. Answer D is incorrect. The run command is a start menu item option used to run programs. 14. Answer: D. Unused accounts often retain weak passwords used in initial assignment and may be more susceptible to password-guessing routines. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer B is incorrect. A null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer C is incorrect because ARP poisoning allows a perpetrator to trick a device into thinking any IP is related to any MAC address. 15. Answer: C. Job rotation is an extension of the separation of duties. Rotating administrative users between roles improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. Answer A is incorrect. Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. Answer B is incorrect; the phrase “less is more” is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Answer D is incorrect; expiration is an access control practice to expire passwords on a regular basis, protecting against brute-force passwordguessing attacks, and to expire accounts not used after a certain period of time. 16. Answer: B, C, D. Authentication can be generally broken into three basic forms, depending on what is required to authorize access: something you know, something you have, or something you are. Answer A is incorrect because something you touch may be a method used for validation, not a basic form. 17. Answer: B. Using a login and password is single-factor because it consists of only what you know. Therefore, it is not considered multifactor authentication. Multifactor authentication involves the use of two or more different forms of authentication. Different forms include what you know (logon, password, PIN), what you have (keycard, SecureID number generator), or what you are (biometrics). Therefore, answer A is incorrect. Answer C is incorrect; Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified. Answer D is incorrect; Challenge-Handshake Authentication Protocol (CHAP) provides on-demand authentication. 18. Answer: C. Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the
Domain 5.0: Access Control and Identity Management
303
server that is providing authentication are verified. Multifactor authentication involves the use of two or more different forms of authentication. Different forms include what you know (logon, password, PIN), what you have (keycard, SecureID number generator), or what you are (biometrics). Therefore, answer A is incorrect. Answer B is incorrect. Using a login and password is not considered multifactor authentication. It is single-factor because it consists of only what you know. Answer D is incorrect; Challenge-Handshake Authentication Protocol (CHAP) provides on-demand authentication. 19. Answer: D. Challenge-Handshake Authentication Protocol (CHAP) provides ondemand authentication. Multifactor authentication involves the use of two or more different forms of authentication. Different forms include what you know (logon, password, PIN), what you have (keycard, SecureID number generator), or what you are (biometrics). Therefore, answer A is incorrect. Answer B is incorrect. Using a login and password is not considered multifactor authentication. It is single-factor because it consists of only what you know. Answer C is incorrect; Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified. 20. Answer: A. Multifactor authentication involves the use of two or more different forms of authentication. Different forms include what you know (logon, password, PIN), what you have (keycard, SecureID number generator), or what you are (biometrics). Answer B is incorrect. Using a login and password is not considered multifactor authentication. It is single-factor because it consists of only what you know. Answer C is incorrect; Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified. Answer D is incorrect; ChallengeHandshake Authentication Protocol (CHAP) provides on-demand authentication. 21. Answer: B. Before authorization can occur for anything other than anonymous access to wholly public resources, the identity of the account attempting to access a resource must first be determined. This process is known as authentication. The most wellknown form of authentication is the use of a logon account identifier and password combination to access controlled resources. Access is not possible without both parts required for account authentication, so a level of protection is provided. Therefore, answers A, C, and D are incorrect. 22. Answer: D. The shortcoming of any authentication system is that the keys used may be easily falsified and access rights may be granted to an unauthorized access attempt. Null or easily guessed passwords are one of the most widespread examples of the potential for this weakness. Answer A is incorrect because lost tokens are associated with biometric methods or multifactor authentication. Answer B is incorrect; false positives are associated with intrusion detection systems. Answer C is incorrect because weak encryption is most closely associated with wireless networks. 23. Answer: A. Most libraries require the creation of an account or a library card to use the computers and kiosks. Anonymous or open access represents the weakest possible form of authentication, whereas the requirement for both a logon identifier and password combination may be considered the most basic of actual account verification. The highest levels of authentication may involve not only account logon, but also
304
Chapter 5
when the logon is occurring from specific network addresses or whether a security token such as an access smart card is present. Answer B is incorrect because although anonymous access is a possibility, as a publicly funded institution, the library should have some due diligence to prevent the use of the computer for illegal purposes. Answers C and D are incorrect; these types of authentication are extremely expensive and restrictive for access to library resources. 24. Answer: C. The highest levels of authentication may involve not only account logon, but also where the logon is occurring from (specific network addresses) or whether a security token such as an access smart card is present. Most governmental financial systems would require some type of biometric verification and a security token. Answers A, B, and D are incorrect; they are not restrictive enough. Anonymous or open access represents the weakest possible form of authentication, whereas the requirement for both a logon identifier and password combination may be considered the most basic of actual account verification. 25. Answer: B. Millions of travelers access kiosks at airports daily. Although anonymous access is the weakest possible form of authentication, it is the only solution due to the volume of traffic. Whereas the requirement for both a logon identifier and password combination may be considered the most basic of actual account verification, requiring each traveler to use a login and password would create an unbearable backlog of travelers. Answer A is incorrect. Issuing security tokens is not cost-effective or administratively manageable in a kiosk environment. Answers C and D are incorrect; these types of authentication are extremely expensive and restrictive for access to airport kiosks. 26. Answer: A. Before access rights can be determined, a user must first be authenticated. Answer B is incorrect because the processes of authentication and access rights determination are not explicitly dependent on one another. Answers C and D are incorrect; authentication must precede access rights determination to avoid granting an unauthorized account access rights. 27. Answer: B. Authentication is the mechanism by which the unique identity is associated with a security principal (a specific user or service). Answer A is incorrect because it describes identification, which is the presentation of a unique identity. Answer C is incorrect; it is a description of identification. Identification presents credentials. Answer D is incorrect because it describes access control. Access control provides a set of resources available to the authenticated identity. 28. Answer: C, D. To reduce user support and authentication complexity, a single sign-on (SSO) capable of granting access to all services is desirable. SSO solutions may employ a central directory service like Microsoft’s Active Directory or Novell’s eDirectory service, or may sequester services behind a series of proxy applications as in the Service-Oriented Architecture approach. Answer A is incorrect because implementing single sign-on solutions can be costly. Answer B is incorrect. When single sign-on is used, if an account is compromised, more resources are at risk. 29. Answer: D. Most access for telecommuters will involve not only account logon, but also when the logon is occurring from specific network addresses or whether a security token such as an access smart card is present. Answer A is incorrect; the requirement for both a logon identifier and password combination may be considered the
Domain 5.0: Access Control and Identity Management
305
most basic of actual account verification and not strong enough for home users with always-on network connections. Answer B is incorrect. Anonymous access is a very weak solution for home users with always-on network connectors and should not be used. Answers C is incorrect; this type of authentication is extremely expensive and does not make sense for the users. 30. Answer: A. To reduce user support and authentication complexity, a single sign-on (SSO) capable of granting access to all services is desirable. Based on the previous information, answer B is incorrect. Anonymous access is a very weak solution for home users with always-on network connectors and should not be used. Answers C and D are incorrect because neither administrative nor anonymous access should be used. 31. Answer: A. Mandatory access control, which is the most basic form of access control, involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. 32. Answer: B. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer A is incorrect. Mandatory access control, which is the most basic form of access control, involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. 33. Answer: D. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. Answer A is incorrect. Mandatory access control is the most basic form of access control and involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights.
306
Chapter 5
34. Answer: D. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. Answer A is incorrect. Mandatory access control is the most basic form of access control and involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. 35. Answer: A. Mandatory access control is the most basic form of access control and involves the assignment of labels to resources and accounts. This type of access control is often used within governmental systems where resources and access may be granted based on categorical assignment, such as classified, secret, or top secret. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rulebased access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. 36. Answer: C. In a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. This type of access is used with groups for inheritance by group member account. Answer A is incorrect because mandatory access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. 37. Answer: A, C. A mandatory access control solution involving labels such as DONOR and DISPLAY would suffice for the user access assignment. A role-based access control solution involving the roles of User and Donor would also be appropriate. Answer B is incorrect because the complexity of assigning by-user access rights over each item’s files would involve a large amount of administrative overhead. Answer D is incorrect because the complexity of the requirement is not great enough to involve detailed conditional testing. 38. Answer: D. A rule-based access control solution would allow detailed conditional testing of the user’s account type and the time of day and day of the week to allow or deny access. Answers A and B are incorrect because both solutions do not allow for conditional testing. Answer C is also incorrect because role-based access control
Domain 5.0: Access Control and Identity Management
307
involves testing against role-assigned access rights, rather than by other qualities such as a test for normal working hours. 39. Answer: A, B. The TCSEC specification identifies levels of security based on the minimum level of access control used in a network environment by divisions and classes. The four divisions of access control are division D, which is Minimal; division C, which is Discretionary; division B, which is Mandatory; and division A, which is Verified. Category A is the highest level, essentially encompassing all elements of Category B, in addition to formal design and verification techniques. Answers C and D are incorrect; they describe network design methods. 40. Answer: C. The TCSEC specification identifies levels of security based on the minimum level of access control used in a network environment. The four divisions of access control are division D, which is Minimal; division C, which is Discretionary; division B, which is Mandatory; and division A, which is Verified. Category A is the highest level, essentially encompassing all elements of Category B, in addition to formal design and verification techniques. Based in the preceding statement, answers A, B, and D are incorrect. 41. Answer: A. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. Answer B is incorrect. In group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a user-based model, permissions are uniquely assigned to each account. 42. Answer: A. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. 43. Answer: B. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer A is incorrect. Mandatory access control is the most basic form of access control and involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing.
308
Chapter 5
44. Answer: A. Mandatory access control is the most basic form of access control involves the assignment of labels to resources and accounts. This type of access control is often used within governmental systems where resources and access may be granted based on categorical assignment, such as classified, secret, or top secret. Answer B is incorrect. In discretionary access control, a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects. Answer C is incorrect because in a role-based access control scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. Answer D is incorrect. In a rulebased access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. 45. Answer: C. In role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles. This solution provides the greatest level of scalability within large enterprise scenarios, where the explicit granting of rights would rapidly incur a significant level of administrative overhead, and the potential for accidental grant of permissions beyond those needed becomes very high. Answer A is incorrect. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rulebased access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. Answer B is incorrect. In group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Answer D is incorrect. In a user-based model, permissions are uniquely assigned to each account. 46. Answer: B. The smart card is an example of “what you have,” and the biometric measures are an example of “what you are.” Answer A is incorrect because there are no biometrics relating to the action “what you do,” only simple measurements of bodily configuration. Answer D is incorrect for the same reason—there is no “what you do” metric present. Answer C is incorrect because no PIN or password is employed as a “what you know” factor. 47. Answer: C. The Personal Identity Verification (PIV) Card is used by U.S. federal employees and contractors under HSPD 12. Answer A is incorrect because A, B, and C are all smart card variations but only C is specifically used for federal employees and contractors under HSPD 12. Answer B is incorrect because the Common Access Card (CAC) is used by the U.S. military, the military reserve, and military contractors. Answer D is incorrect because the RSA SecureID is an example of a time-shifting key token. 48. Answer: B. The Common Access Card (CAC) is used by the U.S. military, the military reserve, and military contractors. Answer A is incorrect because it is a generic smart card variation. Answer C is incorrect because the Personal Identity Verification (PIV) Card is used by U.S. federal employees and contractors under HSPD 12. Answer D is incorrect because the RSA SecureID is an example of a time-shifting key token. 49. Answer: D. The correct order of operations is the authentication of provided credentials or keys, followed by authorization of the presented credentials, and finally, the application of access controls. Answer A is incorrect because the accounting of access
Domain 5.0: Access Control and Identity Management
309
is a function of the authentication and authorization service rather than a required operation. Answer B is incorrect because identification is included along with authentication, and authorization is missing. Answer C is incorrect because identification involves only the presentation of credentials and not the requirement for verifying those credentials as valid. 50. Answer: A. Retinal biometric identification involves the scanning and identification of blood vessels and tissues in the back of the eye. Answer B is incorrect because iris biometric systems analyze only the external colored part of the eye around the pupil. Answer C is incorrect because signature biometric analysis involves the motions and patterns of a written signature rather than those of the back of the eye. Answer D is incorrect because facial recognition systems measure the overall proportions of facial features and bones.
Objective 5.3: Implement appropriate security controls when performing account management. 1. Answer: B. In its broadest sense, an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read, write to, delete, and execute a file. Answer A is incorrect because it describes logical access control. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer C is incorrect because it describes Group Policy. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses. Answer D is incorrect because it describes a security identifier. A security identifier (SID) is a unique value that identifies a security principal. A SID is issued to every security principal when it is created. 2. Answer: A. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer B is incorrect because it describes an access control list. In its broadest sense, an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read, write to, delete, and execute a file. Answer C is incorrect because it describes Group Policy. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses. Answer D is incorrect because it describes a security identifier. A security identifier (SID) is a unique value that identifies a security principal. An SID is issued to every security principal when it is created.
310
Chapter 5
3. Answer: D. A security identifier (SID) is a unique value that identifies a security principal. An SID is issued to every security principal when it is created. A user’s access token includes SIDs of all groups to which the user is a member. When a user logs on and authentication is successful, the logon process returns an SID for the user and a list of SIDs for the user’s security groups. The access token is comprised of these elements. Answer A is incorrect because it describes logical access control. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer B is incorrect because it describes an access control list. In its broadest sense, an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read, write to, delete, and execute a file. Answer C is incorrect because it describes Group Policy. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses. 4. Answer: C. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses. Answer A is incorrect because it describes logical access control. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer B is incorrect because it describes an access control list. In its broadest sense, an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read, write to, delete, and execute a file. Answer D is incorrect because it describes a security identifier. A security identifier (SID) is a unique value that identifies a security principal. A SID is issued to every security principal when it is created. 5. Answer: A. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. Decentralized security management is less secure but more scalable. Responsibilities are delegated, and employees at different locations are made responsible for managing privileges within their administrative areas. Answers B and C are incorrect; a decentralized solution is less secure than a centralized model. Answer D is incorrect; a decentralized model is more scalable, not less scalable. 6. Answer: B. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. Decentralized security management is less secure but more scalable. Responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas. Answers A and D are incorrect; a centralized solution is more secure than a decentralized model. Answer C is incorrect; a centralized model is less scalable, not more scalable.
Domain 5.0: Access Control and Identity Management
311
7. Answer: D. The order of GPO processing is important because a policy applied later overwrites a policy applied earlier. Group policies get applied from the bottom up, so if there is a conflict, the policy higher up in the list will prevail, unless it meets one of the exceptions, such as block inheritance and loopback. Based on the previous statement, answers A, B, and C are incorrect. 8. Answer: C. Recommendations for setting a good password policy include making the password length at least eight characters and require the use of uppercase and lowercase letters, numbers, and special characters. Answers A and B are incorrect because the length is too short and they can easily be compromised. Answer D is incorrect because although it would create a secure password, the length is too long for the average user to remember, causing users to write them down. 9. Answer: A. When Group Policy configures these settings, keep in mind that you can have only one domain account policy. The policy is applied at the root of the domain and becomes the policy for any system that is a member of the domain in Windows Server 2008 and earlier server versions. Domain password policies affect all users in the domain. The effectiveness of these policies depends on how and where they are applied. Based on this information, answers B, C, and D are incorrect. 10. Answer: A, B, D. Good password policies include making the password length at least eight characters; requiring the use of uppercase and lowercase letters, numbers, and special characters; requiring users to change passwords every 60 to 90 days; and setting the server to not allow users to use the same password over and over again. Answer C is incorrect because locking out user accounts after two failed logon attempts will cause undue stress on the help desk staff. Best practice for failed logon attempts is to lock out after three to five bad logon attempts. 11. Answer: C. You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers. Answers A, B, and D are incorrect because all these options affect all employees, not shift workers exclusively. 12. Answer: D. In Microsoft operating systems, each ACL has one or more access control entries (ACEs). These are descriptors that contain the name of a user, group, or role. The access privileges are stated in a string of bits called an access mask. Generally, the object owner or the system administrator creates the ACL for an object. Answer A is incorrect because it describes logical access control. Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. Answer B is incorrect because it describes Group Policy. Group Policy enables you to set consistent common security standards for a certain group of computers, enforce common computer and user configurations, simplify computer configuration by distributing applications, and restrict the distribution of applications that may have limited licenses. Answer C is incorrect because it describes a security identifier. A security identifier (SID) is a unique value that identifies a security principal. A SID is issued to every security principal when it is created.
312
Chapter 5
13. Answer: C. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. Decentralized security management is less secure but more scalable. Responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas. Answer A is incorrect because in a user-based model, permissions are uniquely assigned to each account. Answer B is incorrect because in a centralized model, there is one central database of accounts and roles or groups to which the accounts are assigned. Answer D is incorrect because a group-based access method of access control is centralized. 14. Answer: B, D. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. Decentralized security management is less secure but more scalable. Responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas. Answer A is incorrect because in a user-based model, permissions are uniquely assigned to each account. Answer C is incorrect because in a decentralized model, responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas. 15. Answer: A. If the computer is a workgroup member rather than a domain member, only the local policy is applied. Based on the previous statement, answers B, C, and D are incorrect. If the computer is a workgroup member, it does not matter what policies are set; only the local policy will apply. 16. Answer: A, B, C. GPOs can be associated with or linked to sites, domains, or organizational units. Because Group Policy is so powerful, various levels of administrative roles can be appointed. These include creating, modifying, and linking policies. Answer D is incorrect; forests transverse across domains, and Group Policy is not linked to a forest. 17. Answer: D. The order of GPO processing is important because a policy applied later overwrites a policy applied earlier. Group policies get applied from the bottom up; however, if there is a conflict, the policy higher up in the list will prevail. Based on the previous statements, answers A, B, and C are incorrect. 18. Answer: C. You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers. Answer A is incorrect because the account expiration attribute specifies when an account expires. This setting may be used under the same conditions as the time-of-day restrictions. Answer B is incorrect because the account lockout policy can be used to secure the system against attacks by disabling the account after a certain number of attempts, for a certain period of time. Answer D is incorrect because the software restriction policy has to do with application installations. 19. Answer: A. The account expiration attribute specifies when an account expires. This setting may be used under the same conditions as the time-of-day restrictions.
Domain 5.0: Access Control and Identity Management
313
Answer B is incorrect because the account lockout policy can be used to secure the system against attacks by disabling the account after a certain number of attempts, for a certain period of time. Answer C is incorrect. You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers. Answer D is incorrect because the software restriction policy has to do with application installations. 20. Answer: B. The account lockout policy can be used to secure the system against attacks by disabling the account after a certain number of attempts, for a certain period of time. Answer A is incorrect. The account expiration attribute specifies when an account expires. This setting may be used under the same conditions as the time-ofday restrictions. Answer C is incorrect. You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers. Answer D is incorrect because the software restriction policy has to do with application installations. 21. Answer: A, B, C. A user account holds information about the specific user. It can contain basic information such as name, password, and the level of permission the user has. Answer D is incorrect because devices are not included in user account information. Device information is more closely associated with SNMP tracking. 22. Answer: C. The internal user has the greatest access to data and the opportunity to either deliberately sabotage it or accidentally delete it. Although partnering vendors, contract workers, and external users have the opportunity to damage data, they do not have enough permission to accidentally delete data, nor do they have access to data as readily as internal users do. Based on this information, answers A, B, and D are incorrect. 23. Answer: B. Active Directory Services provides flexibility by allowing two types of groups: security groups and distribution groups. Security groups are used to assign rights and permissions to groups for resource access. Distribution groups are assigned to a user list for applications or non-security-related functions. For example, a distribution group can be used by Microsoft Exchange to distribute mail. Answers A and D are incorrect because these groups do not exist. Answer C is incorrect because security groups are used to assign rights and permissions to groups for resource access. 24. Answer: A, B, C, D. Users can be placed in universal, global, domain, or local groups. 25. Answer: D. Within a user-based model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs. Answer A is incorrect; in a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. Answer B is incorrect; in group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Answer C is incorrect because in role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles.
314
Chapter 5
26. Answer: B. In group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Access control over large numbers of user accounts can be more easily accomplished by managing the access permissions on each group, which are then inherited by the group’s members. Answer A is incorrect; in a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. Answer C is incorrect because in role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles. Answer D is incorrect; within a user-based model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs. 27. Answer: C. Active Directory Services provides flexibility by allowing two types of groups: security groups and distribution groups. Security groups are used to assign rights and permissions to groups for resource access. Answers A and D are incorrect because these groups do not exist. Answer B is incorrect because distribution groups are assigned to a user list for applications or non-security-related functions. 28. Answer: B, D. The user rights assignment is twofold: It can grant specific privileges, and it can grant logon rights to users and groups in your computing environment. Logon rights control who and how users log on to the computer, such as the right to log on to a system locally, whereas privileges allow users to perform system tasks, such as the right to back up files and directories. Answers A and C are incorrect because the user rights assignment has nothing to do with segregation of users or resources; that is more of an access control function. 29. Answer: D. Within a user-based model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs. Answer A is incorrect; in a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. Answer B is incorrect; in group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Answer C is incorrect because in role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles. 30. Answer: B. In group-based access control, permissions are assigned to groups, and user accounts become members of the groups. Access control over large numbers of user accounts can be more easily accomplished by managing the access permissions on each group, which are then inherited by the group’s members. Answer A is incorrect; in a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. Answer C is incorrect because in role-based access control, rather than providing a mechanism for direct assignment of rights to an account, access rights are assigned to roles, and accounts are then assigned these roles. Answer D is incorrect; within a user-based model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs.
Domain 5.0: Access Control and Identity Management
315
31. Answer: A, D. The user rights assignment is twofold: It can grant specific privileges, and it can grant logon rights to users and groups in your computing environment. Logon rights control who and how users log on to the computer, such as the right to log on to a system locally, whereas permissions allow users to perform system tasks, such as the right to back up files and directories. Answers B and C are incorrect because they state the exact opposite of what is true. 32. Answer: B. When working with groups, remember a few key items. No matter what OS you are working with, if you are giving a user full access in one group and no access in another group, the result will be no access. However, group permissions are cumulative, so if a user belongs to two groups and one has more liberal access, the user will have the more liberal access, except where the no access right is involved. Therefore, answer A is incorrect. Answers C and D are incorrect because the user would either have full access or no access; read and write are not mentioned in the question. 33. Answer: D. Group permissions are cumulative, so if a user belongs to two groups and one has more liberal access, the user will have the more liberal access, except where the no access right is involved. For example, write access has more privileges than just read access. No matter what OS you are working with, if you are giving a user full access in one group and no access in another group, the result will be no access. Therefore, answers A and B are incorrect. Answer C is incorrect because permissions are cumulative. 34. Answer: A. Although permissions can apply to individual user accounts, they are best administered by using group accounts. Answer B is incorrect because applying permissions to individual accounts creates administrative overhead and is not good practice. Answers C and D are incorrect because in a domain environment, users are placed in groups, and then permissions are set. 35. Answer: C. The administrative account should be used only for the purpose of “administering the server”. Based on the previous statement, answers A, B, and D are incorrect.
This page intentionally left blank
6
CHAPTER SIX
Domain 6.0: Cryptography Recently, modern cryptography has become increasingly important and ubiquitous. There has been increasing concern about the security of data, which continues to rapidly grow across information systems and traverse and reside in many different locations. This combined with more sophisticated attacks and a growing economy around computer-related fraud and data theft makes the need to protect the data itself even more important than in the past. A public key infrastructure (PKI) makes use of both public and private keys. It also provides the foundation for binding keys to an identity via a certificate authority (CA), thus providing the system for the secure exchange of data over a network through the use of an asymmetric key system. This system for the most part consists of digital certificates and the CAs that issue the certificates. These certificates identify individuals, systems, and organizations that have been verified as authentic and trustworthy. As a prospective security professional, you should also take every opportunity you may find to expand your skill base beyond these basic foundational elements. The following list includes the key areas from Domain 6 (which counts as 11% of the exam) that you need to master for the exam: . Summarize general cryptography concepts . Use and apply appropriate cryptographic tools and
products . Explain core concepts of public key infrastructure . Implement PKI, certificate management, and associated
components
318
Chapter 6
✓
Quick Check
Practice Questions Objective 6.1: Summarize general cryptography concepts. 1. Which of the following best describes a cryptography key?
❍ A. ❍ B. ❍ C. ❍ D.
Plaintext data converted into an unreadable format
Detailed Answer: 340
Messages hidden from unintended recipients A string of bits used to encrypt and decrypt data Mathematical sequence used to perform encryption and decryption
2. Which of the following best describes steganography?
❍
Quick Answer: 338
A. Plaintext data converted into an unreadable format
Quick Answer: 338 Detailed Answer: 340
❍ B. Messages hidden from unintended recipients ❍ C. A string of bits used to encrypt and decrypt data ❍ D. Mathematical sequence used to perform encryption and decryption 3. Which of the following best describes an algorithm?
❍ A. ❍ B. ❍ C. ❍ D.
Plaintext data converted into an unreadable format A string of bits used to encrypt and decrypt data Mathematical sequence used to perform encryption and decryption
Plaintext data converted into an unreadable format
Quick Answer: 338 Detailed Answer: 340
Messages hidden from unintended recipients A string of bits used to encrypt and decrypt data Mathematical sequence used to perform encryption and decryption
5. Which of the following best describes why cryptography has become increasingly important? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 340
Messages hidden from unintended recipients
4. Which of the following best describes encryption?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
Concerns over the security of data Steganography has become more prevalent Attacks have become more sophisticated Concerns over increasing virus infections
Quick Answer: 338 Detailed Answer: 340
Domain 6.0: Cryptography
319
✓
Quick Check
6. Which of the following are fundamental types of encryption algorithms? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338 Detailed Answer: 341
Hash function Asymmetric key Trusted platform Symmetric key
7. Which of the following best describes symmetric key cryptography?
❍
A. A hashing algorithm that uses a common shared key between the sender and receiver
❍
B. An encryption system that uses a common shared key between the sender and receiver
❍
C. An encryption system where each user has a pair of keys, one public and one private
Quick Answer: 338 Detailed Answer: 341
❍ D. A hashing algorithm that uses a common shared key between the sender and receiver 8. Which of the following best describes asymmetric key cryptography?
❍
A. A hashing algorithm that uses a common shared key between the sender and receiver
❍
B. An encryption system that uses a common shared key between the sender and receiver
❍
C. An encryption system where each user has a pair of keys, one public and one private
Quick Answer: 338 Detailed Answer: 341
❍ D. A hashing algorithm that uses a common shared key between the sender and receiver 9. Which of the following best describes where the user’s public key is maintained in an asymmetric encryption?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 341
On a centralized server so that anyone can access it Maintained on the host system or application In the cryptographic vault of the organization In the users shared network folder for easy access
10. Which of the following best describes where the user’s private key is maintained in an asymmetric encryption?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
On a centralized server so that anyone can access it Maintained on the host system or application In the cryptographic vault of the organization In the user’s shared network folder for easy access
Quick Answer: 338 Detailed Answer: 341
320
Chapter 6
✓
Quick Check
11. Which of the following is another name for asymmetric algorithms?
❍ A. ❍ B. ❍ C. ❍ D.
Shared key algorithms Public key algorithms Secret key algorithms Quick Answer: 338 Detailed Answer: 341
Private key algorithms Shared secret key algorithms Public key algorithms Secret key algorithms
13. Which of the following best describes how a message encrypted with the private key is decrypted?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 341
Private key algorithms
12. Which of the following is another name for symmetric algorithms? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
Quick Answer: 338 Detailed Answer: 341
The public key can never decrypt the message. The public key can always decrypt the message. The public key can sometimes decrypt the message. The public key can decrypt the message only when used by an administrator.
14. Which of the following best describes the function of the public key in asymmetric algorithms?
❍
A. The public key can never decrypt a message that it was used to encrypt with.
❍
B. The public key can always decrypt a message that it was used to encrypt with.
❍
C. The public key can sometimes decrypt a message that it was used to encrypt with.
Quick Answer: 338 Detailed Answer: 342
❍ D. The public key can decrypt a message that it was used to encrypt with only when used by an administrator. 15. Which of the following best describes the difference between steganography and cryptography?
❍
A. Steganography seeks to expose the presence of a hidden message; cryptography transforms a message from a readable form to unreadable form.
❍
B. Cryptography seeks to hide the presence of a message; steganography transforms a message from a readable form to unreadable form.
Quick Answer: 338 Detailed Answer: 342
Domain 6.0: Cryptography
321
✓
Quick Check
❍
C. Cryptography seeks to expose the presence of a hidden message; steganography transforms a message from an unreadable form to a readable form.
❍ D. Steganography seeks to hide the presence of a message; cryptography transforms a message from a readable form to unreadable form. 16. Which of the following best describes the coding used by many printers consisting of tiny dots that reveal serial numbers and time stamps?
❍ A. ❍ B. ❍ C. ❍ D.
Steganography Cryptography Hashing Quick Answer: 338 Detailed Answer: 342
Block cipher Elliptic curve Symmetric encryption algorithm Hashing
18. Which type of algorithm generates a key pair (a public key and a private key) that is then used to encrypt and decrypt data and messages sent and received?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 342
Phishing
17. In encryption, when data is broken into a single unit of varying sizes (depending on the algorithm) and the encryption is applied to those chunks of data, what type of algorithm is this?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
Quick Answer: 338 Detailed Answer: 342
Symmetric encryption algorithms Asymmetric encryption algorithms Elliptic curve Paired algorithms
19. Which of the following best describes the main intent of nonrepudiation?
❍
A. To prevent unauthorized modification of information or systems
❍
B. To prevent unauthorized disclosure of sensitive information
❍
C. To specify if an identity should be granted access to a specific resource
❍ D. To provide an irrefutable method of accountability for the source of data
Quick Answer: 338 Detailed Answer: 342
322
Chapter 6
✓
Quick Check
20. Which of the following are key elements that nonrepudiation services provide? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Proof of origin Proof of delivery Proof of receipt
Cryptography Digital signature Quick Answer: 338 Detailed Answer: 343
Whole disk encryption Trusted Platform Module Digital signatures Hashing functions Quick Answer: 338 Detailed Answer: 343
Symmetric encryption algorithms Asymmetric encryption algorithms Elliptic curve Quantum cryptography
24. When conducting an online banking transaction, users can be assured they are at the legitimate site by verifying the server-side certificate. Which of the following best describes this type of certificate?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 342
Steganography
23. Which of the following would an organization implement if the environment required a highly secure solution that includes a mechanism to protect against passive interception?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
Hashing function
22. Which of the following would be the best implementation solution for an organization to mitigate the risks associated with lost or stolen laptops and the accompanying disclosure laws?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 342
Proof of service
21. An organization is implementing a security solution that attempts to guarantee the identity of the person sending the data from one point to another. Which of the following best describes this implementation?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
Digital signature Hashing function Single sided Dual sided
Quick Answer: 338 Detailed Answer: 343
Domain 6.0: Cryptography
323
✓
Quick Check
25. An organization is concerned about back doors and flaws undermining encryption algorithms. Which of the following technologies should the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338 Detailed Answer: 343
An algorithm based on DES An already proven algorithm A proprietary vendor algorithm An in-house-developed algorithm
Objective 6.2: Use and apply appropriate cryptographic tools and products. 1. Which of the following are classifications of symmetric algorithms? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 343
Classical cipher Block cipher Stream cipher Simple cipher
2. DES is which of the following types of cipher?
❍ ❍
Quick Answer: 338
A. Classical cipher
Quick Answer: 338 Detailed Answer: 344
B. Block cipher
❍ C. Stream cipher ❍ D. Simple cipher 3. Which of the following is the total effective key length of 3DES?
❍ A. ❍ B. ❍ C. ❍ D.
168 bit in length
Detailed Answer: 344
64 bit in length 128 bit in length 256 bit in length
4. Which of the following is a stream cipher?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
RC5 Blowfish IDEA RC4
Quick Answer: 338 Detailed Answer: 344
324
Chapter 6
✓
Quick Check
5. Which of the following block ciphers can perform encryption with any length key up to 448-bits?
❍ A. ❍ B. ❍ C. ❍ D.
Blowfish IDEA RC4
DES AES Quick Answer: 338 Detailed Answer: 344
3DES RC5 DES AES Quick Answer: 338 Detailed Answer: 344
3DES RC5 DES AES
9. Which of the following ciphers has earned the mark of being completely unbreakable?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 344
RC5
8. An organization wants to use an encryption method that uses a 256-bit key length. Which of the following could the organization choose? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
3DES
7. An organization wants to use an encryption method that uses a 168-bit key length. Which of the following would the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 344
RC5
6. An organization wants to be able to export encrypted files to a country that only allows 56-bit encryption. Which of the following would the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
RC5 OTP IDEA DES
Quick Answer: 338 Detailed Answer: 344
Domain 6.0: Cryptography
325
✓
Quick Check
10. In an implementation of Advanced Encryption Standard (AES), which of the following is the correct number of layers that the data passes through?
❍ A. ❍ B. ❍ C. ❍ D.
Four Three Two
RC5 DES Quick Answer: 338 Detailed Answer: 345
OTP PGP DES ECC Quick Answer: 338 Detailed Answer: 345
RSA ECC OTP DES
14. An organization wants to use an encryption algorithm that combines a compact design with extreme difficulty to break. Which of the following meets this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 345
RSA
13. Which of the following asymmetric algorithms is considered by many to be the standard for encryption and core technology that secures most business conducted on the Internet?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
ECC
12. An organization wants to use a system that incorporates a mixed approach, using both asymmetric and symmetric encryption. Which of the following meets this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 345
Five
11. An organization wants to use an encryption algorithm that uses little overhead. Which of the following could the organization? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
RSA ECC OTP DES
Quick Answer: 338 Detailed Answer: 345
326
Chapter 6
✓
Quick Check
15. Which of the following ciphers has the highest storage and transmission costs?
❍ A. ❍ B. ❍ C. ❍ D.
OTP IDEA DES
RIPEMD NTLM
Detailed Answer: 346
PGP DES ECC Quick Answer: 338 Detailed Answer: 346
128 bit in length 192 bit in length 256 bit in length 1024 bit in length
RC5
Quick Answer: 338 Detailed Answer: 346
Blowfish IDEA RC4
20. Which of the following ciphers does WEP use?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
OTP
19. Which of the following ciphers does TKIP use?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 346
MD5
18. Which of the following AES encryption key strengths is most commonly found today on secure USB sticks?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
SHA-1
17. An organization wants to use a system for the encryption and decryption of email along with digitally signing emails. Which of the following meets this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 345
RC5
16. Which of the following is a hash algorithm developed within the academic system?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
RC5 Blowfish IDEA RC4
Quick Answer: 338 Detailed Answer: 346
Domain 6.0: Cryptography
327
✓
Quick Check
21. Which of the following best describes a hash?
❍ A. ❍ B. ❍ C. ❍ D.
Plaintext data converted into an unreadable format
Quick Answer: 338 Detailed Answer: 346
A generated summary from a mathematical rule A string of bits used to encrypt and decrypt data Mathematical sequence used to perform encryption and decryption
22. Which of the following best describes how hashing functions work?
❍
A. By taking a string of any length and producing a string the exact same length for output
❍
B. By taking a string of any length and encrypting it bit by bit one at a time
❍
C. By taking a string of any length and producing a fixedlength string for output
Quick Answer: 338 Detailed Answer: 346
❍ D. By taking a string of any length and encrypting it in fixed-length chunks 23. Which of the following is correct about a hash created from a document?
❍
A. The document can be unencrypted using the same hash.
❍ ❍
B. The document can be re-created from the hash.
Quick Answer: 338 Detailed Answer: 347
C. The document can be re-created by using the same encryption.
❍ D. The document cannot be re-created from the hash. 24. Which of the following is the correct strength hash that SHA can generate?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 347
160 bits in length 64 bits in length 128 bits in length 256 bits in length
25. Which of the following is the correct strength hash that the MD series can generate?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
160 bits in length 64 bits in length 128 bits in length 256 bits in length
Quick Answer: 338 Detailed Answer: 347
328
Chapter 6
✓
Quick Check
26. Which of the following best describes message authentication code?
❍
A. An encryption system that uses a common shared key between the sender and receiver
❍
B. A piece of data derived by applying a message combined with a secret key to a cryptographic algorithm
❍
C. An encryption system where each user has a pair of keys, one public and one private
Quick Answer: 338 Detailed Answer: 347
❍ D. A hash algorithm pioneered by the National Security Agency and widely used in the U.S. government 27. Which of the following are primary weaknesses of the LM hash? (Select all correct answers.)
❍
A. Before being hashed, all lowercase characters in the password are converted to uppercase characters.
❍
B. The authenticity of the public key can easily be forged by an attacker.
❍
C. Passwords longer than seven characters are broken down into two chunks.
Quick Answer: 338 Detailed Answer: 347
❍ D. Management of the keys is often overlooked and they can easily be compromised. 28. An organization wants to select a hashing method that will be able to resist forgery and is not open to man in the middle attacks. Which of the following would be the most appropriate choice for the organization?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 347
SHA NTLM MD MAC
29. Which of the following hashing algorithms is the most resource intensive?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338
MD5 SHA-2 LM NTLMv2
Quick Answer: 338 Detailed Answer: 347
Domain 6.0: Cryptography
329
✓
Quick Check
30. An organization wants to select the most appropriate hashing method that can be used to secure Windows authentication. Which of the following should the organization choose?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 338 Detailed Answer: 347
MD5 SHA LM NTLMv2
Objective 6.3: Explain core concepts of public key infrastructure. 1. Which of the following best describes a public key infrastructure?
❍
A. A de facto standard that defines a framework for authentication services by a directory
❍
B. A collection of varying technologies and policies for the creation and use of digital certificates
❍
C. The de facto cryptographic message standards developed and published by RSA Laboratories
Quick Answer: 339 Detailed Answer: 348
❍ D. The development of Internet standards for X.509-based key infrastructures 2. Which of the following best describes the scenario where all certificates are issued by a third-party certificate authority (CA) and if one party trusts the CA, then it automatically trusts the certificates that CA issues?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339 Detailed Answer: 348
Certificate trust model Certificate authority Registration authority Certificate practice statement
3. Which of the following best describes the Public Key Cryptography Standards?
❍
A. A de facto standard that defines a framework for authentication services by a directory
❍
B. A collection of varying technologies and policies for the creation and use of digital certificates
❍
C. The de facto cryptographic message standards developed and published by RSA Laboratories
❍ D. The development of Internet standards for X.509-based key infrastructure
Quick Answer: 339 Detailed Answer: 348
330
Chapter 6
✓
Quick Check
4. Which of the following provides authentication to the CA as to the validity of a client’s certificate request?
❍ A. ❍ B. ❍ C. ❍ D.
Certificate authority Registration authority Certificate practice statement
Detailed Answer: 348
It is renewed on a six-month period. It can only be one year. It cannot be more than three years. Quick Answer: 339 Detailed Answer: 348
User’s private key Signature algorithm identifier User’s public key Serial number
7. Which of the following issues certificates, verifies the holder of a digital certificate, and ensures that the holder of the certificate is who they claim to be?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339
It can be of any duration period.
6. Which of the following information is contained in a X.509 standard digital certificate? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 348
Certificate trust model
5. Which of the following is true about the validity period of X.509 standard digital certificates?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339
Quick Answer: 339 Detailed Answer: 349
Certificate trust model Certificate authority Registration authority Certificate practice statement
8. Which of the following best describes the X.509 standard?
❍
A. A de facto standard that defines a framework for authentication services by a directory
❍
B. A collection of varying technologies and policies for the creation and use of digital certificates
❍
C. The de facto cryptographic message standards developed and published by RSA Laboratories
❍ D. The development of Internet standards for X.509-based key infrastructures
Quick Answer: 339 Detailed Answer: 349
Domain 6.0: Cryptography
331
✓
Quick Check
9. Which of the following is a legal document created and published by a CA for the purpose of conveying information?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339 Detailed Answer: 349
Certificate trust model Certificate authority Registration authority Certificate practice statement
10. Which of the following best describes PKIX?
❍
A. A de facto standard that defines a framework for authentication services by a directory
❍
B. A collection of varying technologies and policies for the creation and use of digital certificates
❍
C. The de facto cryptographic message standards developed and published by RSA Laboratories
Quick Answer: 339 Detailed Answer: 349
❍ D. The development of Internet standards for X.509-based certificate infrastructures 11. Which of the following are functions of a registration authority? (Select all correct answers.)
❍ ❍ ❍
Quick Answer: 339 Detailed Answer: 349
A. Serves as an aggregator of information B. Conveys information in the form of a legal document C. Ensures that the holder of the certificate is who they claim to be
❍ D. Provides authentication about the validity of a certificate request 12. An organization determines that some clients have fraudulently obtained certificates. Which of the following would be the most likely action the organization will take?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 349
Use a recovery agent Revoke the certificates Change the trust model Implement key escrow
13. Which of the following provides the rules indicating the purpose and use of an assigned digital certificate?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339
Registration authority Key escrow Trust model Certificate policy
Quick Answer: 339 Detailed Answer: 350
332
Chapter 6
✓
Quick Check
14. Which of the following is used to describe the situation where a CA or other entity maintains a copy of the private key associated with the public key signed by the CA?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339 Detailed Answer: 350
Registration authority Key escrow Trust model Certificate policy
15. Which of the following best describes the difference between a certificate policy and a certificate practice statement?
❍
A. The focus of a certificate policy is on the CA; the focus of a CPS is on the certificate.
❍
B. The focus of a certificate policy is on the private key; the focus of a CPS is on the public key.
❍
C. The focus of a certificate policy is on the certificate; the focus of a CPS is on the CA.
Quick Answer: 339 Detailed Answer: 350
❍ D. The focus of a certificate policy is on the public key; the focus of a CPS is on the private key. 16. An organization determines that some clients have fraudulently obtained certificates. Which of the following is used to distribute certificate revocation information?
❍ ❍
Quick Answer: 339 Detailed Answer: 350
A. CPS B. CRL
❍ C. ACL ❍ D. PKI 17. Which of the following CA models is most closely related to a web of trust?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 350
Cross-certification model Hierarchical model Bridge model Virtual bridge model
18. An organization requires a process that can be used for restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Which of the following will meet the organizational requirement?
❍ ❍
Quick Answer: 339
A. Key storage B. Key revocation
Quick Answer: 339 Detailed Answer: 351
Domain 6.0: Cryptography
333
✓
Quick Check
❍ C. Key escrow ❍ D. Key recovery 19. An organization decides to implement a single CA architecture. Which of the following is the greatest potential issue the organization will face in using this model?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 351
Sole point of compromise Multiple points of compromise Difficult key management Complex certificate management
20. An organization is implementing a certificate architecture. Which of the following CAs would the organization take offline?
❍ ❍ ❍
Quick Answer: 339
Quick Answer: 339 Detailed Answer: 351
A. Subordinate CA B. Secondary CA C. Bridge CA
❍ D. Root CA
Objective 6.4: Implement PKI, certificate management, and associated components. 1. An organization is formulating policies for the certificate life cycle. Which of the following documents will the organization include? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 351
Certificate revocation statement Certificate policy Key escrow Certification practice statement
2. An organization decides to implement a centralized key management system. Which of the following are the greatest potential issues the organization will face in implementing this system? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339
Need for a secure channel to transmit the private key Additional required infrastructure Additional administrative overhead Need for secure channel to transmit the public key
Quick Answer: 339 Detailed Answer: 351
334
Chapter 6
✓
Quick Check
3. An organization wishes to allow a CA to have access to all the information that is encrypted using the public key from a user’s certificate, as well as create digital signatures on behalf of the user. Which of the following best meets this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Key revocation Key escrow Key recovery Quick Answer: 339 Detailed Answer: 352
Certificate policy Certificate revocation lists Online Certificate Status Protocol Certification practice statement
5. An organization discovers that some clients may have fraudulently obtained certificates. The organization wants to allow the certificates to stay in place until the validity can be verified. Which of the following is the most appropriate action for the organization?
❍ ❍ ❍
Detailed Answer: 351
Key storage
4. An administrator is tasked with checking the state of several digital certificates. Which of the following will the administrator use to perform this function? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339
Quick Answer: 339 Detailed Answer: 352
A. Certificate revocation B. Certificate suspension C. Key recovery
❍ D. Key escrow 6. An organization discovers that some clients may have corrupt key pairs but the keys are still considered valid and trusted. Which of the following is the most appropriate action for the organization?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 352
Certificate revocation Certificate suspension Key recovery Key escrow
7. An organization chooses to implement a decentralized key management system. For which of the following functions will a user be responsible?
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339
Revocation of the digital certificate Creation of the digital certificate Key recovery and archiving Creation of the private and public keys
Quick Answer: 339 Detailed Answer: 352
Domain 6.0: Cryptography
335
✓
Quick Check
8. An organization wants to reduce the complexity of using a large cross-certification model. Which of the following will meet this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 352
A subordinate CA model A hierarchical model A bridge CA model A root CA model
9. A reorder associate needs a key pair for signing and sending encrypted messages and a key pair for restricted equipment ordering limited to a specific dollar amount. Which of the following is true about the number of key pairs required in this situation?
❍ ❍ ❍
Quick Answer: 339
Quick Answer: 339 Detailed Answer: 352
A. Only one key pair is needed. B. Two key pairs are required. C. Three key pairs are required.
❍ D. Four key pairs are required. 10. The key usage extension of the certificate specifies which of the following?
❍ A. ❍ B. ❍ C. ❍ D.
How the private key can be used The time frame the key can be used How the public key can be used Quick Answer: 339 Detailed Answer: 353
The certificate should be added to the CRL. The public key portion should be destroyed first. The private key portion should be destroyed first. The certificate should be added to the CPS.
12. Which of the following are correct functions of the certificate key usage extension? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 353
The cryptographic algorithm used
11. Which of the following are best practices regarding key destruction if the key pair is used for digital signatures? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339
Peer negotiation Creation of digital signatures Exchange of sensitive information Securing of connections
Quick Answer: 339 Detailed Answer: 353
336
Chapter 6
✓
Quick Check
13. Which of the following is true regarding the encryption and decryption of email using an asymmetric encryption algorithm?
❍ ❍
A. The public key is used to either encrypt or decrypt.
❍
C. The private key is used to encrypt and the public key is used to decrypt.
Quick Answer: 339 Detailed Answer: 353
B. The private key is used to decrypt data encrypted with the public key.
❍ D. A secret key is used to perform both encrypt and decrypt operations. 14. Which of the following best describes what happens when a certificate expires?
❍ A. ❍ B. ❍ C. ❍ D.
It can be extended for another equal period. A new certificate must be issued. A new identity is issued for the current one. Quick Answer: 339 Detailed Answer: 353
Creation Preservation Usage Destruction
16. An organization had an incident where a private key was compromised. Which of the following methods can the organization use to notify the community that the certificate is no longer valid? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 353
It gets automatically renewed.
15. Which of the following events are a part of the certificate life cycle? (Select all correct answers.)
❍ A. ❍ B. ❍ C. ❍ D.
Quick Answer: 339
Quick Answer: 339 Detailed Answer: 353
Certificate policy statement Certificate revocation list Certification practice statement Online Certificate Status Protocol
17. Which of the following best describes the difference between certificate suspension and certificate revocation?
❍
A. In suspension, new credentials are not needed; in revocation, new credentials are issued.
❍
B. In suspension, new credentials are issued; in revocation, new credentials are not needed.
Quick Answer: 339 Detailed Answer: 354
Domain 6.0: Cryptography
337
✓
Quick Check
❍
C. In suspension, the key pair is restored from backup; in revocation, the key pair is restored from escrow.
❍ D. In suspension, the key pair is restored from escrow; in revocation, the key pair is restored from backup. 18. The organization wants to implement the backing up of public and private keys across multiple systems. Which of the following satisfies this requirement?
❍ A. ❍ B. ❍ C. ❍ D.
Detailed Answer: 354
Key escrow M of N control Key recovery Version control
19. Which of the following are basic status levels existing in most PKI solutions? (Select all correct answers.)
❍
Quick Answer: 339
Quick Answer: 339 Detailed Answer: 354
A. Active
❍ B. Valid ❍ C. Revoked ❍ D. Suspended 20. Which of the following problems does key escrow enable an organization to overcome?
❍ ❍
A. Forgotten passwords B. Forged signatures
❍ C. Phishing emails ❍ D. Virus infection
Quick Answer: 339 Detailed Answer: 354
338
Chapter 6
Quick-Check Answer Key Objective 6.1: Summarize general cryptography concepts. 1. C
10. B
18. B
2. B
11. C
19. D
3. D
12. A, B, D
20. B, C, D
4. A
13. B
21. D
5. A, C
14. A
22. A
6. B, D
15. D
23. D
7. B
16. B
24. C
8. C
17. A
25. B
9. A
Objective 6.2: Use and apply appropriate cryptographic tools and products. 1. B, C
11. C, D
21. B
2. B
12. B
22. C
3. A
13. A
23. D
4. D
14. B
24. A
5. B
15. B
25. C
6. C
16. C
26. B
7. A
17. B
27. A, C
8. B, D
18. C
28. D
9. B
19. D
29. B
10. C
20. D
30. D
Domain 6.0: Cryptography
Objective 6.3: Explain core concepts of public key infrastructure. 1. B
8. A
15. C
2. A
9. D
16. B
3. C
10. D
17. A
4. C
11. A, D
18. D
5. A
12. B
19. A
6. B, C, D
13. D
20. D
7. B
14. B
Objective 6.4: Implement PKI, certificate management, and associated components. 1. B, D
8. C
15. A, C, D
2. A, B
9. B
16. B, D
3. C
10. B
17. A
4. B, C
11. A, C
18. B
5. B
12. B, C
19. B, C, D
6. C
13. B
20. A
7. D
14. C
339
340
Chapter 6
Answers and Explanations Objective 6.1: Summarize general cryptography concepts. 1. Answer: C. A cryptography key describes a string of bits, which are used for encrypting and decrypting data. These keys can also be thought of as a password or table. Answer A is incorrect because it describes encryption. Encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer B is incorrect because it describes steganography. Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. Answer D is incorrect; an algorithm is the mathematical procedure or sequence of steps taken to perform encryption and decryption. 2. Answer: B. Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. Answer A is incorrect because it describes encryption. Encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer C is incorrect because it describes a cryptography key. A cryptography key is a string of bits, which are used for encrypting and decrypting data. Answer D is incorrect; an algorithm is the mathematical procedure or sequence of steps taken to perform encryption and decryption. 3. Answer: D. An algorithm is the mathematical procedure or sequence of steps taken to perform encryption and decryption. Answer A is incorrect because it describes encryption. Encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer B is incorrect because it describes steganography. Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. Answer C is incorrect because it describes a cryptography key. A cryptography key is a string of bits, which are used for encrypting and decrypting data. 4. Answer: A. Encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer B is incorrect because it describes steganography. Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. Answer C is incorrect because it describes a cryptography key. A cryptography key is a string of bits, which are used for encrypting and decrypting data. Answer D is incorrect; an algorithm is the mathematical procedure or sequence of steps taken to perform encryption and decryption. 5. Answer: A, C. There are growing concerns over the security of data, which continues to rapidly grow across information systems and reside in many different locations. Combining this with more sophisticated attacks and a growing economy around computer-related fraud and data theft makes the need to protect the data itself even more important than in the past. Answers B and D are incorrect; the increase in virus infections and use of steganography has nothing to do with cryptography.
Domain 6.0: Cryptography
341
6. Answer: B, D. There are two fundamental types of encryption algorithms: symmetric key and asymmetric key. Answer A is incorrect. Hashing algorithms are not encryption methods, but offer additional system security via a “signature” for data confirming the original content. Answer C is incorrect; Trusted Platform is the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information. 7. Answer: B. Symmetric key cryptography is an encryption system that uses a common shared key between the sender and receiver. Answers A and D are incorrect because hashing is different from encryption. Answer C is incorrect because it describes asymmetric key cryptography. 8. Answer: C. The asymmetric encryption algorithm has two keys: a public one and a private one. Answers A and D are incorrect because hashing is different from encryption. Answer B is incorrect because it describes symmetric key cryptography. 9. Answer: A. The asymmetric encryption algorithm has two keys: a public one and a private one. The public key is made available to whoever is going to encrypt the data sent to the holder of the private key. Often the public encryption key is made available in a number of fashions, such as email or centralized servers that host a pseudo address book of published public encryption keys. Answer B is incorrect because this is where the private key is stored. Answer C is incorrect because a cryptographic vault is used for theft resistance. It is a small crypto file system containing all the secrets in unencrypted form. Answer D is incorrect; the user shared network folder is not used to store the public key. 10. Answer: B. The asymmetric encryption algorithm has two keys: a public one and a private one. The private key is maintained on the host system or application. Answer A is incorrect because this is where the public key is stored. The public encryption key is made available in a number of fashions, such as email or centralized servers that host a pseudo address book of published public encryption keys. Answer C is incorrect because a cryptographic vault is used for theft resistance. It is a small crypto file system containing all the secrets in unencrypted form. Answer D is incorrect; the user shared network folder is not used to store the public key. 11. Answer: C. Asymmetric algorithms are often referred to as public key algorithms because of their use of the public key as the focal point for the algorithm. Answers A, B, and D are incorrect; symmetric key algorithms are often referred to as secret key algorithms, private key algorithms, and shared secret algorithms. 12. Answer: A, B, D. Symmetric key algorithms are often referred to as secret key algorithms, private key algorithms, and shared secret algorithms. Answer C is incorrect. Asymmetric algorithms are often referred to as public key algorithms because of their use of the public key as the focal point for the algorithm. 13. Answer: B. Some general rules for asymmetric algorithms include the following: the public key can never decrypt a message that it was used to encrypt with, private keys should never be able to be determined through the public key (if it is designed properly), and each key should be able to decrypt a message made with the other. For instance, if a message is encrypted with the private key, the public key should be able to decrypt it; therefore, answers A and C are incorrect. Answer D is incorrect because the public key can never be used to decrypt a message even by an administrator.
342
Chapter 6
14. Answer: A. Some general rules for asymmetric algorithms include the following: the public key can never decrypt a message that it was used to encrypt with, private keys should never be able to be determined through the public key (if it is designed properly), and each key should be able to decrypt a message made with the other. For instance, if a message is encrypted with the private key, the public key should be able to decrypt it; therefore, answers B and C are incorrect. Answer D is incorrect because the public key can never be used to decrypt a message even by an administrator. 15. Answer: D. Steganography seeks to hide the presence of a message, whereas the purpose of cryptography is to transform a message from readable plaintext into an unreadable form known as ciphertext. Answer A is incorrect because steganography seeks to hide the presence of a message not expose it. Answers B and C are incorrect because the descriptions of each are reversed and cryptography has nothing to do with hiding or exposing hidden messages. 16. Answer: B. Steganography has been used by many printers, using tiny dots that reveal serial numbers and time stamps. Answer A is incorrect; phishing is the fraudulent process of attempting to acquire sensitive information. Answer C is incorrect; cryptography transforms a message from readable plaintext into an unreadable form known as ciphertext. Answer D is incorrect; a hash is a generated summary from a mathematical rule or algorithm. 17. Answer: A. When data that is going to be encrypted is broken into chunks of data and then encrypted, the type of encryption is called a block cipher. Answer B is incorrect because this describes a public key encryption algorithm. Although many symmetric algorithms use a block cipher, answer C is incorrect because a block cipher is a more precise and accurate term for the given question. Answer D is incorrect because hashing does not encrypt. 18. Answer: B. Although many different types of algorithms use public and private keys to apply their encryption algorithms in their own various ways, algorithms that perform this way are called asymmetric encryption algorithms (or public key encryption). Answer C is incorrect because this is only a type of asymmetric encryption algorithm. Answer A is incorrect because symmetric algorithms use a single key. Answer D is not a type of algorithm, and so it is incorrect. 19. Answer: D. Nonrepudiation is intended to provide, through encryption, a method of accountability in which there is not a way to refute where data has been sourced (or arrived from). Answer A is incorrect because it describes integrity. Answer B is incorrect because it describes confidentiality. Answer C is incorrect because it describes authorization. 20. Answer: B, C, D. The four key elements that nonrepudiation services provide are proof of origin, proof of submission, proof of delivery, and proof of receipt. Answer A is incorrect because proof of service is a court paper filed by a process server as evidence that the witness or party to the lawsuit was served with the court papers as instructed. 21. Answer: D. Digital signatures attempt to guarantee the identity of the person sending the data from one point to another. Answer A is incorrect; a hash is a generated summary from a mathematical rule or algorithm. Answer B is incorrect; steganography
Domain 6.0: Cryptography
343
seeks to hide the presence of a message. Answer C is incorrect; cryptography transforms a message from readable plaintext into an unreadable form known as ciphertext. 22. Answer: A. Whole disk encryption helps mitigate the risks associated with lost or stolen laptops and accompanying disclosure laws when the organization is required to report data breaches. Answer B is incorrect; Trusted Platform Module is the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information. Answer C is incorrect; digital signatures attempt to guarantee the identity of the person sending the data from one point to another. Answer D is incorrect; a hash is a generated summary from a mathematical rule or algorithm. 23. Answer: D. Quantum cryptography uses photons to transmit a key. After the key is transmitted, coding and encoding using the normal secret-key method can take place. Quantum cryptology is the first cryptology that safeguards against passive interception. Answer A is incorrect because symmetric algorithms use a single key and do not safeguard against passive interception. Answers B and C are incorrect because asymmetric encryption algorithms do not safeguard against passive interception. 24. Answer: C. In most cases, the use of SSL and TLS is single sided. Only the server is being authenticated as valid with a verifiable certificate. For example, when conducting an online banking transaction, users can be assured they are at the legitimate site by verifying the server-side certificate, whereas the client is verified by a means other than a certificate, such as a username and password. Answer A is incorrect; digital signatures attempt to guarantee the identity of the person sending the data from one point to another. Answer B is incorrect; a hash is a generated summary from a mathematical rule or algorithm. Answer D is incorrect; in a dual-sided scenario, not only is the server authenticated using a certificate, but the client side is as well. This certainly can provide for a more secure environment, but additional overhead is created. Furthermore, a unique client side certificate now needs to be created and managed for every client rather than just a single server. 25. Answer: B. Because of the sensitive nature behind the uses of cryptography, the use of well-known, proven technologies is crucial. Back doors and flaws, for example, can undermine any encryption algorithm, which is why proven algorithms should always be considered. Although various vendors might have their own encryption solutions, most of these depend upon well-known, time-tested algorithms, and generally speaking, one should be skeptical of any vendor using a proprietary nonproven algorithm. Therefore, answers C and D are incorrect. Answer A is incorrect; DES is only a 56-bit encryption key algorithm and is considered weak.
Objective 6.2: Use and apply appropriate cryptographic tools and products. 1. Answer: B, C. Symmetric algorithms can be classified into either being a block cipher or a stream cipher. A stream cipher, as the name implies, encrypts the message bit by bit, one at a time, whereas a block cipher encrypts the message in chunks. Answer A is incorrect; historical pen and paper ciphers used in the past are sometimes known as
344
Chapter 6
classical ciphers. Answer D is incorrect because simple substitution ciphers and transposition ciphers are considered classical ciphers. 2. Answer: B. DES is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data. Based on this information, answers A, C, and D are incorrect. 3. Answer: A. Triple Data Encryption Standard (3DES), also known as Triple-DES, dramatically improves upon the DES by using the DES algorithm three times with three distinct keys. This provides a total effective key length of 168 bits. Based on this information, answers B, C, and D are incorrect. 4. Answer: D. RC4 is a stream cipher that uses a 1 to 2048 bits key length. Answers A, B, and C are incorrect because they are all block ciphers. 5. Answer: B. Blowfish Encryption Algorithm is a block cipher that can encrypt using any size chunk of data. Blowfish can also perform encryption with any length encryption key up to 448-bits, making it a very flexible and secure symmetric encryption algorithm. Answers A and C are incorrect; although they are block ciphers, the maximum key length of RC5 is 256 and the maximum key length of International Data Encryption Algorithm (IDEA) is 128. Answer D is incorrect; RC4 is a stream cipher. 6. Answer: C. Data Encryption Standard (DES) is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data. Answer A is incorrect; with Triple Data Encryption Standard (3DES), the DES algorithm is used three times with three distinct keys. This provides a total effective key length of 168 bits. Answer B is incorrect; the key length of RC5 is 128 to 256 bits. Answer D is incorrect; the key length of Advanced Encryption Standard (AES) is 128 to 256 bits. 7. Answer: A. Triple Data Encryption Standard (3DES), also known as Triple-DES, dramatically improves upon the Data Encryption Standard (DES) by using the DES algorithm three times with three distinct keys. This provides a total effective key length of 168 bits. Answer B is incorrect; the key length of RC5 is 128 to 256 bits. Answer C is incorrect; DES is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data. Answer D is incorrect; the key length of Advanced Encryption Standard (AES) is 128 to 256 bits. 8. Answer: B, D. The key length of both RC5 and AES is 128 to 256 bits. Answer A is incorrect; Triple Data Encryption Standard (3DES), also known as Triple-DES, dramatically improves upon the Data Encryption Standard (DES) by using the DES algorithm three times with three distinct keys. This provides a total effective key length of 168 bits. Answer C is incorrect; DES is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data. 9. Answer: B. There is one type of cipher that perhaps has earned the mark as being completely unbreakable: one-time pad (OTP). Unfortunately, the OTP currently has the trade-off of requiring a key as long as the message, thus having significant storage and transmission costs. Answer A is incorrect; the key length of RC5 is 128 to 256 bits. Answer C is incorrect; the maximum key length of IDEA is 128. Answer D is incorrect; Data Encryption Standard (DES) is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data.
Domain 6.0: Cryptography
345
10. Answer: C. Advanced Encryption Standard (AES) is similar to Data Encryption Standard (DES) in that it can create keys from 128-bit to 256-bit in length and can perform the encryption and decryption of data up to 128-bit chunks of data. Similar to Triple Data Encryption Standard (3DES), the data is passed through three layers, each with a specific task, such as generating random keys based on the data and the bit strength being used. Based on this information, answers A, B, and D are incorrect. 11. Answer: C, D. Because of the additional overhead generated by using one key for encryption and another for decryption, using asymmetric algorithms requires far more resources than symmetric algorithms. Answers A and B are incorrect; both ECC and RSA are asymmetric algorithms. 12. Answer: B. PGP was originally designed to provide for the encryption/decryption of email, as well as for digitally signing emails. PGP follows the OpenPGP format that allows using a combination of public key and private key encryption (both asymmetric and symmetric encryption). Answer A is incorrect; one-time pad (OTP), which is also called a Vernam-cipher is a crypto algorithm where plaintext is combined with a random key. It does not use both asymmetric and symmetric encryption. Answer C is incorrect; Data Encryption Standard (DES) is a symmetric algorithm only. Answer D is incorrect; Elliptic Curve Cryptography (ECC) is an asymmetric algorithm only. 13. Answer: A. Rivest, Shamir, Adleman (RSA) is a well-known cryptography system used for encryption and digital signatures. In fact, the RSA algorithm is considered by many to be the standard for encryption and core technology that secures most business conducted on the Internet. Answer B is incorrect; Elliptic Curve Cryptography (ECC) is an asymmetric algorithm. Answer C is incorrect. One-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable. Answer D is incorrect; Data Encryption Standard (DES) is a symmetric algorithm. 14. Answer: B. Elliptic Curve Cryptography (ECC) techniques utilize a method in which elliptic curves could be used to calculate simple, but very difficult to break, encryption keys to use in general purpose encryption. One of the key benefits of ECC encryption algorithms is that they have a very compact design because of the advanced mathematics involved in ECC. Answer A is incorrect. The Rivest, Shamir, Adleman (RSA) algorithm, named after its inventors at MIT, is considered by many to be the standard for encryption and core technology that secures most business conducted on the Internet, but it is not as compact in design nor does it use the advanced mathematics that ECC does. Answer C is incorrect; although the one-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable, the design is not compact because plaintext is combined with a random key, requiring a key as long as the message. Answer D is incorrect; Data Encryption Standard (DES) is a symmetric algorithm. Although symmetric algorithms tend to be a bit more compact, they do not contain the advanced mathematics that ECC does. 15. Answer: B. There is one type of cipher that perhaps has earned the mark as being completely unbreakable: one-time pad (OTP). Unfortunately, the OTP currently has the trade-off of requiring a key as long as the message, thus having significant storage and transmission costs. Answer A is incorrect; the key length of RC5 is a set length of 128 to 256 bits. Answer C is incorrect; the maximum set key length of IDEA is 128 bits. Answer D is incorrect; Data Encryption Standard (DES) is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data. As with answers A and
346
Chapter 6
C, the bit length is set. None of the incorrect answers allow the overhead to be as high as OTP because the key length is set, in contrast to being equal to the length of the message. 16. Answer: C. RACE Integrity Primitives Evaluation Message Digest (RIPEMD) was developed within the academic system and is based on the design of MD4. The more commonly used 160-bit version of the algorithm, RIPEMD-160, performs comparable to SHA-1, although it is used less often. Answer A is incorrect because the Secure Hash Algorithm (SHA0 family of hash algorithms was pioneered by the National Security Agency and widely used in the U.S. government. Answer B is incorrect because the Message Digest Series Algorithm (MD2, MD4, MD5) series of encryption algorithms was created by Ronald Rivest (founder of RSA Data Security, Inc.). Answer D is incorrect; the NT LAN Manager hash (NTLM hash, also called the Unicode hash was developed for use by Microsoft. 17. Answer: B. Pretty Good Privacy (PGP) was originally designed to provide for the encryption/decryption of email, as well as for digitally signing emails. PGP follows the OpenPGP format using a combination of public key and private key encryption. Answer A is incorrect. One-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable but is used for authentication, not mail encryption. Answer C is incorrect; Data Encryption Standard (DES) is a symmetric algorithm used for data encryption, not email. Answer D is incorrect; Elliptic Curve Cryptography (ECC) is an asymmetric algorithm most effectively used in wireless communications and in devices with low computing power or resources. 18. Answer: C. Advanced Encryption Standard (AES) supports key lengths of 128, 192, and 256 bits; many commercial offerings, to encrypt laptops or USB sticks for example, supply AES at the maximum 256-bit key length. Based on this information, answers A, B, and D are incorrect. 19. Answer: D. TKIP uses the RC4 algorithm and does not require an upgrade to existing hardware. Based on this information, answers A, B, and C are incorrect. 20. Answer: D. Wired Equivalent Privacy (WEP) uses the RC4 cipher for confidentiality; however, the WEP algorithm, although still widely used, is no longer considered secure and has been replaced. Based on this information, answers A, B, and C are incorrect. 21. Answer: B. A hash is a generated summary from a mathematical rule or algorithm and is used commonly as a “digital fingerprint” to verify the integrity of files and messages as well as to ensure message integrity and provide authentication verification. Answer A is incorrect; encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer C is incorrect because a cryptography key describes a string of bits, which are used for encrypting and decrypting data. Answer D is incorrect. An algorithm is the mathematical procedure or sequence of steps taken to perform a variety of functions. Hashing and encryption are examples of how algorithms can be used. 22. Answer: C. Hash functions work by taking a string (for example, a password or email) of any length, and producing a fixed-length string for output. Based on this information, answers A, B, and D are incorrect.
Domain 6.0: Cryptography
347
23. Answer: D. Although you can create a hash from a document, you cannot re-create the document from the hash. Keep in mind that hashing is a one-way function. Based on this information, answers A, B, and C are incorrect. 24. Answer: A. Secure Hash Algorithm (SHA, SHA-1) are hash algorithms pioneered by the National Security Agency and widely used in the U.S. government. SHA-1 can generate a 160-bit hash from any variable length string of data, making it very secure but also resource intensive. Based on this information, answers B, C, and D are incorrect. 25. Answer: C. Message Digest Series Algorithms MD2, MD4, and MD5 are a series of encryption algorithms created by Ronald Rivest (founder of RSA Data Security, Inc.), that are designed to be fast, simple, and secure. The MD series generates a hash of up to a 128-bit strength out of any length of data. Based on this information, answers A, B, and D are incorrect. 26. Answer: B. A Message Authentication Code (MAC) is similar to a hash function. The MAC is a small piece of data known as an authentication tag, which is derived by applying a message or file combined with a secret key to a cryptographic algorithm. The resulting MAC value can ensure the integrity of the data as well as its authenticity, because a user in possession of the secret key can subsequently detect if there are any changes from the original. Answer A is incorrect because it describes symmetric encryption. Answer C is incorrect because it describes asymmetric encryption. Answer D is incorrect because it describes the Secure Hash Algorithm. 27. Answer: A, C. The two primary weaknesses of LM hash are first, that all passwords longer than seven characters are broken down into two chunks, from which each piece is hashed separately. Second, before the password is hashed, all lowercase characters are converted to uppercase characters. Answers B and D are incorrect; LM hashes have nothing to do with encryption keys. 28. Answer: D. A Message Authentication Code (MAC) is similar to a hash function, but it is able to resist forgery and is not open to man-in-the-middle attacks. A MAC can be thought of as an encrypted hash, combining an encryption key and a hashing algorithm. Based on this information, answers A, B, and C are incorrect. 29. Answer: B. Both SHA and the MD series are similar in design; however, keep in mind that because of the higher bit strength of the SHA-2 algorithm, it will be in the range of 20% to 30% slower to process than the MD family of algorithms; therefore, answer A is incorrect. Answer C is incorrect; LM hash is based on DES encryption. Answer D is incorrect; NTLMv2 hashing makes use of the MD hashing algorithm. 30. Answer: D. NTLMv2 hashing makes use of the MD4 and MD5 hashing algorithms and is used on more recent versions of the Windows operating system. Answers A and B are incorrect; MD5 and SHA are typically not used in place of NTLMv2. Answer C is incorrect; the NTLM hash is an improvement over the LM hash. LM hash is based on DES encryption, yet it is not considered to be effective (and is technically not truly a hashing algorithm) due to a weaknesses in the design implementation.
348
Chapter 6
Objective 6.3: Explain core concepts of public key infrastructure. 1. Answer: B. A public key infrastructure is a vast collection of varying technologies and policies for the creation and use of digital certificates. Answer A is incorrect because it describes the X.509 standard. Answer C is incorrect because it describes Public Key Cryptography Standards (PKCS). Answer D is incorrect because it describes public key infrastructure (X.509) (PKIX). 2. Answer: A. In a certificate trust model, everybody’s certificate is issued by a third party called the certificate authority (CA). If the CA is trusted, the certificates that the CA issues are automatically trusted. Answer B is incorrect; certificate authorities (CAs) are trusted entities and are an important concept within PKI. The CA’s job is to issue certificates, as well as to verify the holder of a digital certificate and ensure that the holder of the certificate is who they claim to be. Answer C is incorrect because a registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer D is incorrect; a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. 3. Answer: C. The Public Key Cryptography Standards (PKCS) are the de facto cryptographic message standards developed and published by RSA Laboratories. Answer B is incorrect because it describes a public key infrastructure (PKI). Answer A is incorrect because it describes the X.509 standard. Answer D is incorrect because it describes public key infrastructure (X.509) (PKIX). 4. Answer: C. A registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer A is incorrect because in a certificate trust model, everybody’s certificate is issued by a third party called the certificate authority (CA). If the CA is trusted, the certificates that the CA issues are automatically trusted. Answer B is incorrect; certificate authorities (CAs) are trusted entities and are an important concept within PKI. The CA’s job is to issue certificates, as well as to verify the holder of a digital certificate and ensure that the holder of the certificate is who they claim to be. Answer D is incorrect; a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. 5. Answer: A. The validity period identifies the time frame for which the private key is valid, if the private key has not been compromised. This period is indicated with both a start and an end time, and may be of any duration, but it is often set to one year. Based on this information, answers B, C, and D are incorrect. 6. Answer: B, C, D. Information about the signature algorithm identifier, user’s public key, and serial number of the issuing certificate authority (CA) is included within a digital certificate. A user’s private key should never be contained within the digital certificate and should remain under tight control; therefore, answer A is incorrect.
Domain 6.0: Cryptography
349
7. Answer: B. Certificate authorities (CAs) are trusted entities and are an important concept within public key infrastructure (PKI). The CA’s job is to issue certificates, as well as to verify the holder of a digital certificate, and ensure that the holder of the certificate is who they claim to be. Answer A is incorrect because in a certificate trust model, everybody’s certificate is issued by a third party called certificate authority (CA). If the CA is trusted, the certificates that the CA issues are automatically trusted. Answer C is incorrect because a registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer D is incorrect; a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. 8. Answer: A. The X.509 standard defines a framework for authentication services by a directory and the format of required data for digital certificates. Answer B is incorrect because it describes a public key infrastructure (PKI). Answer C is incorrect because it describes Public Key Cryptography Standards (PKCS). Answer D is incorrect because it describes public key infrastructure (X.509) (PKIX). 9. Answer: D. A certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. Answer A is incorrect because in a certificate trust model, everybody’s certificate is issued by a third party called a certificate authority (CA). If one trusts the CA, he automatically trusts the certificates that CA issues. Answer B is incorrect; certificate authorities (CAs) are trusted entities and are an important concept within PKI. The CA’s job is to issue certificates, as well as to verify the holder of a digital certificate, and ensure that the holder of the certificate is who they claim to be. Answer C is incorrect because a registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. 10. Answer: D. Public key infrastructure (X.509) (PKIX) describes the development of Internet standards for X.509-based public key infrastructure (PKI). Answer B is incorrect because it describes a PKI. Answer A is incorrect because it describes the X.509 standard. Answer C is incorrect because it describes Public Key Cryptography Standards (PKCS). 11. Answer: A, D. A registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer B is incorrect because a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. Answer C is incorrect because the CA’s job is to issue certificates, as well as to verify the holder of a digital certificate and ensure that the holder of the certificate is who they claim to be. 12. Answer: B. Revoking a certificate invalidates a certificate before its expiration date. Revocation typically occurs because the certificate is no longer considered trustworthy. For example, if a certificate holder’s private key is compromised, the certificate is most likely to be revoked. Answer A is incorrect because recovery is necessary if a certifying key is compromised but the certificate holder is still considered valid and trusted. In this case, it is not true. Answer C is incorrect because changing the trust model would necessitate unneeded changes. Answer D is incorrect. Key escrow
350
Chapter 6
occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA. 13. Answer: D. A certificate policy indicates specific uses applied to a digital certificate, as well as other technical details. Thus, the certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate. Answer A is incorrect because a registration authority (RA) provides authentication to the certificate authority (CA) as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer B is incorrect; key escrow occurs when a CA or other entity maintains a copy of the private key associated with the public key signed by the CA. Answer C is incorrect because a trust model is an architecture within a public key infrastructure (PKI) for certificate authorities. 14. Answer: B. Key escrow occurs when a CA or other entity maintains a copy of the private key associated with the public key signed by the CA. Answer A is incorrect because a registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer C is incorrect because a trust model is an architecture within a PKI for certificate authorities. Answer D is incorrect; a certificate policy indicates specific uses applied to a digital certificate, as well as other technical details. Thus, the certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate. 15. Answer: C. The focus of a certificate policy is on the certificate, whereas the focus of a certificate practice statement is on the certificate authority (CA) and the way that the CA issues certificates. Answer A is incorrect because the focus in the given statement is reversed. Answers B and D are incorrect; neither a certificate policy nor a CPS focuses solely on the keys. 16. Answer: B. A component of public key infrastructure (PKI) includes a mechanism for distributing certificate revocation information, called certificate revocation lists (CRLs). A CRL is used when verification of digital certificate takes place to ensure the validity of a digital certificate. Answer A is incorrect because a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. Answer C is incorrect because an Access Control List is used to control object permissions. Answer D is incorrect because a public key infrastructure is a vast collection of varying technologies and policies for the creation and use of digital certificates. 17. Answer: A. An alternative to the hierarchical model is the cross-certification model, often referred to as a Web of Trust. In this model, certificate authorities (CAs) are considered peers to one another. Answer B is incorrect in a hierarchical CA model, an initial root CA exists at the top of the hierarchy with subordinate CAs below. Answer C is incorrect; a solution to the complexity of a large cross-certification model is to implement what is known as a bridge CA model. By implementing bridging, you can have a single CA, known as the bridge CA, be the central point of trust. Answer D is incorrect; a virtual bridge certificate authority model is used to overcome the bridge certificate authority compromise problem and removes the cross certificates among trust domains.
Domain 6.0: Cryptography
351
18. Answer: D. Key recovery is the process of restoring a key pair from a backup and recreating a digital certificate using the recovered keys. Answer A is incorrect; after the key pairs are generated and a digital certificate has been issued by the CA, both keys must be stored appropriately to ensure their integrity is maintained. However, the key use must still be easy and efficient. Answer B is incorrect; when a certificate is no longer valid, certificate revocation occurs. Answer C is incorrect. Key escrow occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA. 19. Answer: A. In the single certificate authority (CA) architecture, only one CA exists to issue and maintain certificates. Although this model may be beneficial to smaller organizations because of its administrative simplicity, it has the potential to present problems. If the private key of the CA becomes compromised, all the issued certificates from that CA would then be invalid; therefore, answer B is incorrect. Answers C and D are incorrect; a single CA architecture is based on simplicity. 20. Answer: D. A root certificate authority (CA) differs from subordinate CAs in that the root CA is taken offline to reduce the risk of key compromise, and the root CA should be made available only to create and revoke certificates for subordinate CAs. Remember, if the root CA is compromised, the entire architecture is compromised. If a subordinate CA is compromised, however, the root CA can revoke the subordinate CA. Based on this information, answer A is incorrect. Answer B is incorrect; a secondary CA is treated the same as a subordinate CA. Answer C is incorrect because a bridge CA is a solution to the complexity of a large cross-certification model.
Objective 6.4: Implement PKI, certificate management, and associated components. 1. Answer: B, D. The certificate life cycle is typically based on two documents: the certificate policy and the certification practice statement (CPS). Answer A is incorrect because certificate revocation statement is an incorrect term. The correct term is a certificate revocation list (CRL). A CRL is used when verification of digital certificate takes place to ensure the validity of a digital certificate. Answer C is incorrect because key escrow allows the certificate authority (CA) or escrow agent to have access to all the information that is encrypted using the public key from a user’s certificate, as well as create digital signatures on behalf of the user. 2. Answer: A, B. Although the benefit of central control may be seen as an advantage, a centralized system also has other disadvantages, which include additional required infrastructure, a need to positively authenticate the end entity prior to transmitting the private key, as well as the need for a secure channel to transmit the private key. Answer C is incorrect; additional overhead is reduced with a centralized system. Answer D is incorrect; the public key does not need a secure channel. 3. Answer: C. Key escrow allows the certificate authority (CA) or escrow agent to have access to all the information that is encrypted using the public key from a user’s certificate, as well as create digital signatures on behalf of the user. Answer A is incorrect; after the key pairs are generated and a digital certificate has been issued by the CA,
352
Chapter 6
both keys must be stored appropriately to ensure their integrity is maintained. However, the key use must still be easy and efficient. Answer B is incorrect because when a certificate is no longer valid, certificate revocation occurs. Answer D is incorrect; key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. 4. Answer: B, C. Both Online Certificate Status Protocol (OSCP) and certificate revocation lists (CRLs) are used to verify the status of a certificate. Answer A is incorrect. The certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate. Answer D is incorrect because a certificate practice statement (CPS) is a legal document created and published by a certificate authority (CA) for the purpose of conveying information to those depending on the CA’s issued certificates. 5. Answer: B. Certificate suspension occurs when a certificate is under investigation to determine if it should be revoked. This mechanism allows a certificate to stay in place, but it is not valid for any type of use during the suspension. Answer A is incorrect; revoking a certificate invalidates a certificate before its expiration date. Revocation typically occurs because the certificate is no longer considered trustworthy. Answer C is incorrect; key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Answer D is incorrect; key escrow occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA. 6. Answer: C. Key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Answer A is incorrect; revoking a certificate invalidates a certificate before its expiration date. Revocation typically occurs because the certificate is no longer considered trustworthy. Answer B is incorrect; certificate suspension occurs when a certificate is under investigation to determine if it should be revoked. This mechanism allows a certificate to stay in place, but it is not valid for any type of use during the suspension. Answer D is incorrect; key escrow occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA. 7. Answer: D. In a decentralized key system, the end user generates his or her own key pair. The other functions, such as creation of the certificate, the revocation of the certificate, and key recovery and archiving are still handled by the certificate authority; therefore, answers A, B, and C are incorrect. 8. Answer: C. A solution to the complexity of a large cross-certification model is to implement what is known as a bridge certificate authority (CA) model. Remember that in the cross-certification model, each CA must trust the others; however, by implementing bridging, it is possible to have a single CA, known as the bridge CA, be the central point of trust. Answers A and D are incorrect because these are CA server types, not models. Answer B is incorrect; in the hierarchical CA model, an initial root CA exists at the top of the hierarchy, and subordinate CAs reside beneath the root. 9. Answer: B. In some circumstances, dual or multiple key pairs might be used to support distinct and separate services. For example, a reorder associate may have one key pair to be used for signing and sending encrypted messages and might have another restricted to ordering equipment worth no more than a specific dollar amount. Multiple
Domain 6.0: Cryptography
353
key pairs require multiple certificates because the X.509 certificate format does not support multiple keys; therefore, answers A, C, and D are incorrect. 10. Answer: B. The key usage extension of the certificate specifies how the private key can be used. It is used to either to enable the exchange of sensitive information or to create digital signatures. Answer A is incorrect because it describes the signature algorithm identifier. Answer C is incorrect because it describes the validity period. Answer D is incorrect because the public key is not of consequence to the extension usage. 11. Answer: A, C. If the key pair to be destroyed is used for digital signatures, the private key portion should be destroyed first, to prevent future signing activities with the key. In addition, a digital certificate associated with keys that are no longer valid should be added to the CRL regardless of whether the key is actually destroyed or archived. Answer B is incorrect because is concern is the private key. Answer D is incorrect because a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. 12. Answer: B, C. The key usage extension of the certificate specifies how the private key can be used. It is used either to enable the exchange of sensitive information or to create digital signatures. Answer A is incorrect because peer negotiation is associated with SSL/TLS. Answer D is incorrect because securing connections is associated with PPTP. 13. Answer: B. In asymmetric encryption, the private key decrypts data encrypted with the public key. Answer A is incorrect because the public key cannot decrypt the same data it encrypted. Answer C is incorrect because the public key would be used to encrypt and the private key to decrypt. Answer D is incorrect because this describes symmetric encryption. 14. Answer: C. Every certificate is issued with an expiration date. When the certificate expires, a new certificate needs to be reissued. So long as the certificate holder’s needs or identity information has not changed, the process is relatively simple. After the issuing certificate authority (CA) validates the entity’s identity, a new certificate can be generated based on the current public key; therefore, answers A, B, and D are incorrect. 15. Answer: A, C, D. The certificate life cycle refers to those events required to create, use, and destroy public keys and the digital certificates with which they are associated. The certificate life cycle is typically based on two documents: the certificate policy and the certification practice statement (CPS). Answer B is incorrect; preservation is not included in the certificate life cycle. 16. Answer: B, D. Revoking a certificate is not enough. The community that trusts these certificates must be notified that the certificates are no longer valid. This is accomplished via a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP). Answer A is incorrect; it should read certificate policy. The certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate. Answer C is incorrect because a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates.
354
Chapter 6
17. Answer: A. Certificate suspension occurs when a certificate is under investigation to determine whether it should be revoked. Like the status checking that occurs with revoked certificates, users and systems are notified of suspended certificates in the same way. The primary difference is that new credentials will not need to be retrieved; it is only necessary to be notified that current credentials have had a change in status and are temporarily not valid for use. Answer B is incorrect because the proper usage is reversed. Answers C and D are incorrect because both revocation and suspension have to do with credentials, not key pair restoration. 18. Answer: B. M of N control as it relates to public key infrastructure (PKI) refers to the concept of backing up the public and private key across multiple systems. This multiple backup provides a protective measure to ensure that no one individual can re-create his or her key pair from the backup. Answer A is incorrect; key escrow occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA. Answer C is incorrect; key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Answer D is incorrect; version control is associated software development. 19. Answer: B, C, D. Three basic status levels exist in most public key infrastructure (PKI) solutions: valid, suspended, and revoked. Answer A is incorrect; active status is a generic term that is not specifically associated with status levels in a PKI. 20. Answer: A. Key escrow enables an organization to overcome the large problem of forgotten passwords. Rather than revoke and reissue new keys, an organization can generate a new certificate using the private key stored in escrow. Answers B, C, and D are incorrect; forged signatures, phishing, and virus infections have nothing to do with key escrow.